The Russian invasion of Ukraine has split the hacking community, sending some of the most recognizable and powerful groups scrambling to pick a side to declare which has their allegiance.

In a tweet, hacking group Anonymous declared "a cyberwar against the Russian government" and has claimed to be responsible for attacks that brought down Russia Today, a state-backed news outlet, and several government websites. It also said it hacked other Russian state-TV channels.

Conti, a ransomware group with possible ties to Russian intelligence that attacked more than 290 American targets last year, declared its "full support of Russian government" and said it would use "all possible resources to strike back" at any adversaries. Cyberthreat intelligence company Orpheus Cyber reported another group united with Russia obtained stolen data from more than 45 Ukrainian government websites, and some of it is up for sale.

Motives that push hacking groups to pick a side range widely. Members of Anonymous have stated that their guiding principle is "anti-oppression," while Russian-aligned attacks may be state-sponsored. Pro-Russia attacks can also come from groups who feel pressured to operate on their behalf by the Kremlin.

"It's not entirely clear what the connection is between the ransomware gangs and the Russian government," said Brett Callow, a threat analyst at Emsisoft. "At best, they are working within a permissive environment. At worst, they are working for certain wings of the Russian government."

"Some of the actions of Russia's government just prior to the war — shutting down the REvil gang or arresting them and shutting down a number of dark web forums and shops — these cybercriminals are afraid that if they don't support the regime, they're going to be next," said Alex Holden, the founder of Hold Security.

Hacking groups may become targets for moving away from their usual financial motives for attacks. After Conti declared support for Russia, an apparent insider who objected to the group's support for Russia leaked a trove of internal chat messages and other files that Holden says "mortally wounded" the gang.

"When we see things like this, we are learning how in 2021, 2022, cybercriminal enterprises operate, so we have [the] ability to detect and deter organizations like this in the future," Holden said.

Moving forward, experts say that any further cyber escalation could spell trouble for those outside the conflict zone, including Americans. Groups like Conti could come back to hit the U.S. as well.

"They are a highly effective ransomware group, albeit one that has terrible operational security," Callow said. "They likely do still have access to certain U.S. networks that they have yet to encrypt, and they could potentially do that any time."

Newsy is the nation’s only free 24/7 national news network. You can find Newsy using your TV’s digital antenna or stream for free. See all the ways you can watch Newsy here: https://bit.ly/Newsy1

---

Trending stories at Newsy.com

BRIGHTON, Colo. — Cyberattacks are becoming more common and more disruptive to our daily life, and many experts worry the nation’s food supply is the next big target.

“In the past, I don't think we gave a lot of thought to cybersecurity,” said Robert Sakata, a farmer in Brighton, Colorado.

Sakata’s family has farmed for decades.

“So, my dad started the farm, and he and his family actually were farming in San Francisco when World War Two broke out, so they were moved to an internment camp, ended up in a camp in Utah,” said Sakata. “When he was released from that camp, Colorado was one of the few places that were actually not discouraging Japanese-Americans from coming in.”

Once the war ended, the Sakata family rebuilt their life and started a new farm 30 minutes outside of Denver.

Their farm, along with the thousands of other farms across the country, is now facing a new threat that didn’t exist just a few years ago.

“When you talked about security, it was somebody maybe coming out here, and believe it or not, that's what they've actually done—come out here and steal the wheels off of this sprinkler, steal the copper wire that's along there,” said Sakata.

But now, it’s also cybercriminals Sakata worries about. Any machine, like a tractor or a sprinkler system that’s connected to the internet could be hacked and remotely controlled.

These threats could mean interruptions to daily life for millions of Americans.

“If a CPA firm gets breached, a bunch of social security numbers get stolen, you're dealing with identity theft. That's one thing, right? But when people don't have food, you're talking about riots in the streets,” said Joseph Brunsman, founder of the Brunsman Advisory Group. Brunsman is a provider for cybersecurity insurance.

Brunsman said these attacks, if large enough, could leave families hungry.

“A lot of people living on fixed incomes or people that are, you know, lower on the socio-economic scale, when food prices go up, you know, 10, 20, 30%, that means they have to make that decision: Am I going to pay for food? Am I going to pay for heating this month? So, it's really a serious, serious idea for a lot of people.”

Hackers can also stop farming equipment or food production equipment from working and demand a ransom be paid. Ransomware attacks have become more common, and food production has seen multiple large attacks in recent months.

Meatpacking company JBS was hacked in June and plants were shut down across the country after a ransomware attack.

JBS paid hackers $11M to get operations back online.

“This was a very difficult decision to make for our company, and for me personally,” said Andre Nogueira, the CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

“You hear about ransomware where you would totally lock up and we couldn't have control. That would be a real, real issue that then we couldn't water the crop at all,” said Sakata.

“Because everyone needs to eat, an attack, a successful attack within the food and agriculture industry can quickly cascade into a national security concern,” said Scott Algier, the executive director of the Information Technology Sharing and Analysis Center, known as IT-SAC. “We're seeing a lot of the same attacks on other industries already, but some of the potential consequences could be a little more impactful.”

In addition to ransomware, there’s concern about groups hacking and stealing intellectual property – like seed formulas.

“There's a lot of intellectual property that the fruit and agriculture industry has that that is of interest to other organizations, other countries,” said Algier.

“We could lose our entire year of income by somebody taking over something and creating a problem by not letting the sprinkler run or not having that shipment go through,” said Sakata. “So, it's a big risk not only just for my family, but then for whoever is depending on those food sources.”

These threats are why Sakata goes old school on some things. He doesn’t connect his storage refrigerator to Wi-Fi to keep his crops safe.

“The only way somebody can hack it is really to break in at the door and change the settings,” said Sakata. “Even then, I have a password!”

What he can protect digitally, he does, and he said he and other farmers now often discuss how to defend themselves from cybercriminals.

“Whether it's going now to multiple-step verification, you need maybe another key fob that identifies yourself, that is all going to be critical as we move forward,” said Sakata.

Brunsman said cybersecurity insurance can also help, but there are several other inexpensive options for smaller farmers as well.

“Even really basic, very affordable controls, such as multi-factor authentication, having multiple backups, having offline backups, email security, security awareness training, that kind of stuff. It's not super expensive. It's really quite affordable. In many cases, it's like the cost of a cup of coffee per person per month. That can really go a long way,” said Brunsman.

Those who study these attacks say they’re happening every single day on a small scale. It’s only a matter of time before the next large-scale attack occurs.

“The threats are coming up and several different sides, we're seeing, we've already seen threats against both producers and production facilities,” said Doug Jacobson, a professor of electrical and computer engineering at Iowa State University. “We had a co-op here in Iowa that was attacked. So, we see it from the large organization side of things. But anybody on the internet, even a farmer can be attacked.”

“It's kind of scary,” said Sakata. “I think if you dwelled on it too long, it would keep you up at night.

He just hopes other farms will take the steps he’s taking to protect what we all can’t live without: our food supply.

“We need to really ensure that we're doing everything we can to protect that. It would be really scary if we ever got to the day where people would go to the grocery store and there wasn't, wasn't any food,” said Sakata.

Algier echoed the need for collaboration to stop cybercriminals.

“Cyberattacks are happening everywhere all the time. So, it is something that every enterprise, no matter your size, and no matter industry, something you need to pay attention to,” said Algier. "The cybersecurity threat is so big that nobody can do it, nobody can defend it against on their own.”

Robinhood said Monday it was hit by a data breach earlier this month that exposed information on millions of customers and that hackers later demanded an extortion payment.

The trading platform said in a statement that the Nov. 3 attack allowed the unauthorized party to obtain a list of email addresses for about 5 million people and full names for another group of about 2 million people.

The company said the incident caused a "limited number of people," approximately 310 in total, to have their names, dates of birth and zip codes exposed. About 10 customers had "more extensive account details revealed," Robinhood said, without elaborating.

"We believe that no Social Security numbers, bank account numbers or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident," the company said in the statement.

After Robinhood contained the intrusion, "the unauthorized party demanded an extortion payment," according to the statement. The company said it "promptly" informed law enforcement but did not indicate whether it complied with the extortion payment demand.

Shares of Robinhood were down about 3% in after-hours trading Monday.

The unauthorized party gained access to Robinhood's customer support systems by posing as a customer support employee by phone, the company said.

Robinhood said it is in the process of making "appropriate disclosures to affected people" and is continuing to investigate with the help of security firm Mandiant.

"As a Safety First company, we owe it to our customers to be transparent and act with integrity," Caleb Sima, Robinhood's chief security officer, said in the statement. "Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do."

Suspected Iranian hackers have targeted dozens of defense technology and maritime transportation firms, successfully breaching a small number, in a spying campaign launched since July that could leave some of the companies vulnerable to follow-on hacking attempts, Microsoft announced Monday.

Among the targets were companies that work with the U.S., European Union and Israeli governments to make satellite systems, drones technology and "military-grade radars," Microsoft said.

It's just the latest effort by an alleged Iranian hacking group to access sensitive data held in the maritime sector. Another Iranian group last year stole information on the military unit of U.S. Navy members, according to IBM.

"Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program," Microsoft researchers wrote in a blog post on Monday.

Microsoft did not attribute the activity directly to an Iranian government organization but instead said the hacking "supports the national interests" of Iran based on a number of factors, including hacking techniques associated with another Iranian group.

John Lambert, head of Microsoft Threat Intelligence Center, told CNN that Microsoft discovered the hacking activity when responding to a breach of a U.S. financial services firm this summer.

The goal of releasing information on the intrusions now is to help organizations prepare for follow-on breach attempts, Lambert said. The hackers, he added, could look to use stolen login information to break into the internal networks of targeted organizations.

The suspected Iranian operatives tried guessing passwords at roughly 250 organizations, including unnamed U.S. and Israeli defense firms and organizations operating in Persian Gulf ports, according to Microsoft. The hackers managed to breach "less than 20" of those organizations, the tech firm said.

The maritime sector has long been of interest to Iran's intelligence services and the country sits on the Strait of Hormuz, through which about a fifth of the world's oil shipments pass.

"Given Iran's past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors," the Washington State-based technology provider said.

While this activity appears concentrated on Persian Gulf ports, U.S. maritime authorities have also had to raise their network defenses in response to threats.

Unidentified hackers in August breached a computer network at the Port of Houston, U.S. officials have said. Early detection of the incident meant the intruders weren't in a position to disrupt shipping operations, according to a Coast Guard analysis of the incident obtained by CNN.

"The shipping lanes are the highways of the sea," Lambert said. "And anything related to that is going to be in the crosshairs and subject to geopolitical dynamics."

CNN —

Related video: Biden tells Putin 'to act' against ransomware groups

REvil, the ransomware gang that attacked meat supplier JBS Foods this spring and a major IT software vendor this month, has mysteriously vanished from the internet, according to cybersecurity experts tracking the group.

Websites and other infrastructure belonging to the cybercriminal gang, which is believed to operate from Eastern Europe or Russia, went dark on Tuesday as close observers of the group found they were unable to connect to REvil's web page listing its victims.

Others said they were unable to connect to the sites REvil uses to communicate with victims and collect ransom payments.

"All REvil sites are down, including the payment sites and data leak site," tweeted Lawrence Abrams, creator of the information security blog BleepingComputer. "The public ransomware gang represenative [sic], Unknown, is strangely quiet."

The reasons for REvil's disappearance were not immediately clear, but it follows a raft of high-profile hackings by the group that seized control of computers around the world. It also comes after President Joe Biden said he warned his Russian counterpart Vladimir Putin there would be consequences if Moscow failed to address the ransomware attacks emanating from within its borders.

The Biden administration has increasingly identified ransomware as a threat to national and economic security, highlighting its potential to disrupt critical infrastructure that Americans depend on.

Ransomware works by locking down a computer network, stealing and encrypting data until victims agree to pay a fee.

Those who refuse can find their information leaked online. In recent years, ransomware gangs have gone after hospitals, universities, police departments, city governments, and a wide range of other targets.

A source familiar told CNN the House Intelligence Committee has not been briefed on what caused REvil to go dark. An aide with the Senate Intelligence Committee said "no comment" when asked if that committee had been briefed on the situation.

Over the July 4 holiday weekend, cybersecurity experts said REvil was responsible for an attack on Kaseya, an IT software company that indirectly supports countless small businesses including accounting firms, restaurants and dentists' offices.

REvil claimed credit for the attack, demanding an eye-popping $70 million ransom to release the affected machines. US officials have also said REvil was behind the attack on JBS, one of the world's largest meatpacking companies.

REvil has obtained $11 million from victims in the course of its operation, according to the cryptocurrency payments tracker Ransomwhere.

The group's sudden disappearance has prompted widespread speculation about what may have occurred. Theories range from planned system downtime to a coordinated governmental strike. But at this stage, experts are still guessing. The FBI and U.S. Cyber Command declined to comment on whether they may have been involved.

"This outage could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise — we don't know," said Steve Moore, chief security strategist at the cybersecurity firm Exabeam.

Dmitri Alperovitch, co-founder of the cybersecurity firm CrowdStrike, hypothesized that western governments may be pressuring internet infrastructure companies not to complete web browser requests for REvil's sites.

Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, cautioned that while an inability to connect to REvil's sites may be a potential indicator of law enforcement involvement, it doesn't prove it conclusively.

"Last week REvil's site was down for a bit as well," he said in a statement to CNN.

REvil is among the most prolific ransomware attackers, according to the cybersecurity firm CheckPoint. In the last two months alone, REvil conducted 15 attacks per week, CheckPoint spokesman Ekram Ahmed said.

Given the attention it has generated, REvil may have voluntarily chosen to lay low for a while, Ahmed added. "We recommend not jumping to any immediate conclusions as it's early, but REvil is, indeed, one of the most ruthless and creative ransomware gangs we've ever seen."

Anne Neuberger, the top White House cyber official, was traveling with Biden on Tuesday, though her reasons for accompanying the president to Philadelphia were not clear. A White House spokesperson didn't immediately respond to a request for comment.

WASHINGTON —

President Joe Biden told Russian President Vladimir Putin in a Friday phone call that he must "take action" against cybercriminals acting in his country and that the U.S. reserves the right to "defend its people and its critical infrastructure" from future attacks. the White House said.

The warning to Putin was largely a repetition of the tough rhetoric Biden had used during their meeting in Geneva last month, when he warned that there would be consequences for continuing cyberattacks emanating from Russia. Since then, a new ransomware attack linked to the Russia-based REvil hacking group has caused widespread disruption, placing Biden under growing pressure to this time marry the warning with actions — though none were immediately announced.

"I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden said, speaking to reporters at an event on economic competitiveness.

Asked whether there will be consequences, he said, "Yes."

The call with Putin underscored the extent to which the ransomware threat from criminal hacker gangs has mushroomed into an urgent national security challenge for the White House, and it suggested a possible concession by the administration that earlier warnings to the Russian leader had failed to curb a criminal activity that has taken aim at businesses across the globe.

A White House statement announcing the hourlong call also highlighted a U.S.-Russian agreement that will allow humanitarian aid to flow into Syria. The dual prongs of the agenda show how even as Biden pledges to get tough on Russia over hacking, there's an inherent desire to avoid aggravating tensions as the administration looks for Russia to cooperate, or at least not interfere, with U.S. actions in other areas, including Syria, the Afghanistan withdrawal and climate change.

In his call with Putin, besides reiterating the need for Russia to take action and that the U.S. stands ready to act in response, Biden also "emphasized that he is committed to continued engagement on the broader threat posed by ransomware," the White House said.

Biden told reporters that the U.S. and Russia have "set up a means of communication now on a regular basis to be able to communicate with one another when each of us thinks something is happening in another country that affects the home country. And so it went well. I'm optimistic."

In its own summary of the call, the Kremlin said "Putin noted that despite the Russian side's readiness to jointly stop criminal activities in the information sphere, U.S. agencies haven't made any requests during the past month."

The Kremlin said the two leaders emphasized the need for cooperation on cybersecurity, which it said "must be permanent, professional and non-politicized and should be conducted via special communication channels ... and with respect to international law."

The Kremlin statement also noted that Biden and Putin touched on the situation in Syria "with a special emphasis on humanitarian aspects" and "gave a positive assessment of coordination of Russian and U.S. efforts on the issue, including in the U.N. Security Council."

The White House declined to discuss the tone of Biden's call, though press secretary Jen Psaki said it did focus significantly on the latest breach, which cybersecurity researchers have said infected victims in at least 17 countries, largely through firms that remotely manage IT infrastructure for multiple customers.

Though Biden had previously said the attack had caused "minimal damage," and it did not appear to target vital infrastructure, the sheer global scale and the fact that it occurred so soon after the Geneva meeting put immediate pressure on the administration to have some sort of response.

Officials did not immediately announce any specific actions they were taking or would consider taking. There are few easy options to resolve the threat without risking a conflict that could spiral out of control beyond the cybersecurity realm.

The Biden administration took office on the heels of a massive cyberespionage campaign known as SolarWinds that U.S. officials have linked to Russian intelligence operatives. But ransomware attacks, perpetrated generally by criminal hacker gangs rather than state-sponsored hackers, appear to have eclipsed old-fashioned spying as a potent threat.

A May attack on a pipeline that supplies roughly half the fuel consumed on the East Coast caused the company to temporarily halt operations. Colonial Pipeline paid roughly $4.4 million in ransom, although U.S. authorities were able to claw back a large portion of that sum in a law enforcement operation last month.

Hackers also recently extorted an $11 million ransom payment from JBS SA, the world's largest meat processor.

—

Associated Press writer Vladimir Isachenkov in Moscow contributed to this report.

BOSTON —

The single biggest global ransomware attack yet continued to bite Monday as details emerged on how the Russia-linked gang responsible breached the company whose software was the conduit. In essence, the criminals used a tool that helps protect against malware to spread it widely.

An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.

REvil was demanding ransoms of up to $5 million. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency. It wasn't clear who they expected might pay that amount.

Sweden may have been hardest hit by the attack — or at least most transparent about it. Its defense minister, Peter Hultqvist, bemoaned on Monday "a serious attack on basic functions in Swedish society."

"It shows how fragile the system is when it comes to IT security and that you must constantly work to develop your ability to defend yourself," he said in a TV interview. Most of the Swedish grocery chain Coop's 800 stores were closed all weekend because their cash register software supplier was crippled. They remained closed Monday. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit.

A broad array of businesses and public agencies were affected, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported. The cybersecurity firm ESET identified victims in countries including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.

Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up.

In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported. Also among reported victims were two big Dutch IT services companies — VelzArt and Hoppenbrouwer Techniek. Most ransomware victims don't publicly report attacks or disclose if they've paid ransoms.

On Sunday, the FBI said in a statement that while it was investigating the attack, its scale "may make it so that we are unable to respond to each victim individually." Deputy National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had "directed the full resources of the government to investigate this incident" and urged all who believed they were compromised to alert the FBI.

Biden suggested Saturday the U.S. would respond if it was determined that the Kremlin is at all involved. Less than a month ago, Biden pressed Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.

On Monday, Putin spokesman Dmitry Peskov was asked if Russia was aware of the attack or had looked into it. He said no, but suggested it could be discussed by the U.S. and Russia in consultations on cybersecurity issues for which no timeline has been specified.

Experts say it was no coincidence that REvil launched the attack at the start of the Fourth of July holiday weekend, knowing U.S. offices would be lightly staffed and many victims might not learn of it until back at work Monday or Tuesday.

Most end users of managed service providers "have no idea" whose software keep their networks humming, said CEO Fred Voccola of the breached software company, Kaseya.

He estimated the victim number in the low thousands, mostly small businesses like "dental practices, architecture firms, plastic surgery centers, libraries, things like that."

Voccola said only between 50-60 of the company's 37,000 customers were compromised. But 70% were managed service providers who use the company's hacked VSA software to manage multiple customers. It automates the installation of software and malware-detection updates and manages backups and other vital tasks.

Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.

The REvil offer to offer blanket decryption for all victims of the Kaseya attack in exchange for $70 million suggested its inability to cope with the sheer quantity of infected networks, said Allan Liska, an analyst with the cybersecurity firm Recorded Future.

But Kevin Reed of Acronis said the offer of a universal decryptor could be a PR stunt because no human involvement would be needed to pay a $45,000 base ransom demand apparently sent to the vast majority of targets. Analysts reported seeing demands of $5 million and $500,000 for bigger targets, which would require negotiation.

Analyst Brett Callow of Emsisoft said he suspects REvil is hoping insurers might crunch the numbers and determine the $70 million will be cheaper for them than extended downtime.

Sophisticated ransomware gangs on REvil's level usually examine a victim's financial records — and insurance policies if they can find them — from files they steal before activating the ransomware. The criminals then threaten to dump the stolen data online unless paid, although that does not appear to have happened in this case. But this attack was apparently bare-bones. REvil seems only to have scrambled victims' data.

Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a "zero day," the industry term for a previous unknown security hole in software. Voccola would not confirm that or offer details of the breach — except to say that it was not phishing.

"The level of sophistication here was extraordinary," he said.

It was not the first ransomware attack to leverage managed services providers. In 2019, criminals hobbled the networks of 22 Texas municipalities through one. That same year, 400 U.S. dental practices were crippled in a separate attack.

Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms. U.S. officials say the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.

___

AP reporters Jim Heintz in Moscow, Jan Olsen in Stockholm, Kirsten Grieshaber in Berlin, Jari Tanner in Helsinki and Sylvie Corbet in Paris contributed to this report.

The cyber insurance industry, once a profitable niche, is now in the crosshairs of ransomware criminals.

They have hacked brokerages and major insurers.

Determining who has coverage and how much can help them pick targets and negotiate payments.

Skyrocketing extortion demands and a rise in ransomware attacks has the industry teetering on the edge of profitability.

Pressure is building on the industry to stop reimbursing for ransoms, but so far only one major cyber insurer, AXA, is doing so — and only with new policies in France.

To try to absorb the growing onslaught and stay profitable, insurers are retooling coverage, demanding clients up their security.

Video above: Biden to confer with Europe allies, confront Putin

Set to embark on the first overseas trip of his term, President Joe Biden is eager to reassert the United States on the world stage, steadying European allies deeply shaken by his predecessor and pushing democracy as the only bulwark to rising forces of authoritarianism.

Biden has set the stakes for his eight-day trip in sweeping terms, believing that the West must publicly demonstrate it can compete economically with China as the world emerges from the coronavirus pandemic.

Building toward his trip-ending summit with Russia’s Vladimir Putin, Biden will aim to reassure European capitals that the United States can once again be counted on as a dependable partner to thwart Moscow’s aggression both on their eastern front and their internet battlefields.

The trip will be far more about messaging than specific actions or deals. And the paramount priority for Biden, who leaves Wednesday for his first stop in the United Kingdom, is to convince the world that his administration is not just a fleeting deviation in the trajectory of an American foreign policy that many allies fear irrevocably drifted toward a more transactional outlook under former President Donald Trump.

“The trip, at its core, will advance the fundamental thrust of Joe Biden’s foreign policy,” said national security adviser Jake Sullivan, “to rally the world’s democracies to tackle the great challenges of our time.”

Biden’s to-do list is ambitious.

In their face-to-face sit-down in Geneva, Biden wants to privately pressure Putin to end myriad provocations, including cybersecurity attacks on American businesses by Russian-based hackers, the jailing of opposition leader Alexei Navalny and repeated overt and covert efforts by the Kremlin to interfere in U.S. elections.

Biden is also looking to rally allies on their COVID-19 response and to urge them to coalesce around a strategy to check emerging economic and national security competitor China even as the U.S. expresses concern about Europe's economic links to Moscow. Biden also wants to nudge outlying allies, including Australia, to make more aggressive commitments to the worldwide effort to curb global warming.

The week-plus journey is a big moment for Biden, who traveled the world for decades as vice president and as chair of the Senate Foreign Relations Committee, and will now step off Air Force One on international soil as commander in chief. He will face world leaders still grappling with the virus and rattled by four years of Trump’s inward-looking foreign policy and moves that strained longtime alliances as the former president made overtures to strongmen.

“In this moment of global uncertainty, as the world still grapples with a once-in-a-century pandemic,” Biden wrote in a Washington Post op-ed previewing his diplomatic efforts, “this trip is about realizing America’s renewed commitment to our allies and partners, and demonstrating the capacity of democracies to both meet the challenges and deter the threats of this new age."

The president first travels to Britain for a summit of the Group of Seven leaders and then Brussels for a NATO summit and a meeting with the heads of the European Union. It comes at a moment when Europeans have diminished expectations for what they can expect of U.S. leadership on the foreign stage.

Central and Eastern Europeans are desperately hoping to bind the U.S. more tightly to their security. Germany is looking to see the U.S. troop presence maintained there so it doesn’t need to build up its own. France, meanwhile, has taken the tack that the U.S. can’t be trusted as it once was and that the European Union must pursue greater strategic autonomy going forward.

“I think the concern is real that the Trumpian tendencies in the U.S. could return full bore in the midterms or in the next presidential election,” said Alexander Vershbow, a former U.S. diplomat and once deputy secretary general of NATO.

The sequencing of the trip is deliberate: Biden consulting with Western European allies for much of a week as a show of unity before his summit with Putin.

His first stop late Wednesday will be an address to U.S. troops stationed in Britain, and the next day he sits down with British Prime Minster Boris Johnson. The two men will meet a day ahead of the G-7 summit to be held above the craggy cliffs of Cornwall overlooking the Atlantic Ocean.

The most tactile of politicians, Biden has grown frustrated by the diplomacy-via-Zoom dynamics of the pandemic and has relished the ability to again have face-to-face meetings that allow him to size up and connect with world leaders. While Biden himself is a veteran statesman, many of the world leaders he will see in England, including Johnson and French President Emmanuel Macron, took office after Biden left the vice presidency. Another, Germany’s Angela Merkel, will leave office later this year.

There are several potential areas of tension. On climate change, the U.S. is aiming to regain its credibility after Trump pulled the country back from the fight against global warming. Biden could also feel pressure on trade, an issue to which he's yet to give much attention. And with the United States well supplied with COVID-19 vaccines yet struggling to persuade some of its own citizens to use it, leaders whose inoculation campaigns have been slower will surely pressure Biden to share more surplus around the globe.

Another central focus will be China. Biden and the other G-7 leaders will announce an infrastructure financing program for developing countries that is meant to compete directly with Beijing’s Belt-and-Road Initiative. But not every European power has viewed China in as harsh a light as Biden, who has painted the rivalry with the techno-security state as the defining competition for the 21st century.

The European Union has avoided taking as strong a stance on Beijing’s crackdown on Hong Kong’s democracy movement or treatment of Uyghur Muslims and other ethnic minorities in the western Xinjiang province as the Biden administration may like. But there are signs that Europe is willing to put greater scrutiny on Beijing.

The EU in March announced sanctions targeting four Chinese officials involved with human rights abuses in Xinjiang. Beijing, in turn, responded by imposing sanctions on several members of the European Parliament and other Europeans critical of the Chinese Communist Party.

Biden is also scheduled to meet with Turkish President Recep Tayyip Erdogan while in Brussels, a face-to-face meeting between two leaders who have had many fraught moments in their relationship over the years.

Biden waited until April to call Erdogan for the first time as president. In that call, he informed the Turkish leader that he would formally recognize that the systematic killings and deportations of hundreds of thousands of Armenians by Ottoman Empire forces in the early 20th century were “genocide” — using a term for the atrocities that his White House predecessors had avoided for decades over concerns of alienating Turkey.

The trip finale will be Biden's meeting with Putin.

Biden has taken a very different approach to Russia than Trump's friendly outreach. Their sole summit, held in July 2018 in Helsinki, was marked by Trump’s refusal to side with U.S. intelligence agencies over Putin’s denials of Russian interference in the election two years earlier.

Biden could well be challenged by unrest at home as Russia looks to exploit the Jan. 6 Capitol insurrection and the debate over voting rights to undermine the U.S. position as a global role model. The American president, in turn, is expected to push Russia to quell its global meddling.

“By and large, these are not meetings on outcomes, these are 'get to know you again' meetings for the U.S. and Europe,” said Richard Haass, president of the Council on Foreign Relations. “It's about delivering a message to Putin, to reviving old alliances and to demonstrate again that the U.S. is back on the right course.”

Related video: Biden to speak to Russia about JBS cyberattackThe meat supplier JBS USA paid an $11 million ransom in response to a cyberattack that led to the shutdown of its entire U.S. beef processing operation last week, the company said in a statement Wednesday evening.The ransom was paid after most of the company's facilities had come back online, JBS said."This was a very difficult decision to make for our company and for me personally," said Andre Nogueira, CEO of JBS USA, in the statement. "However, we felt this decision had to be made to prevent any potential risk for our customers." JBS's payment was first reported by The Wall Street Journal.The cyberattack affected servers supporting JBS's IT systems in North America and Australia. The U.S. government has attributed the ransomware attack to REvil, a criminal gang believed to be based in Russia or Eastern Europe."Preliminary investigation results confirm that no company, customer or employee data was compromised," JBS said in Wednesday's statement.JBS USA is part of JBS Foods, which it says is one of the world's largest food companies. It has operations in 15 countries and has customers in about 100 countries, according to its website. Its brands include Pilgrim's, Great Southern and Aberdeen Black.

WASHINGTON — The CEO of Colonial Pipeline spoke to lawmakers on Tuesday about the ransomware attack on his company last month.

During his testimony to the Senate Homeland Security Commissions, Joseph Blount said paying the hackers was the right thing to do after the May 7 attack caused significant fuel shortages along the east coast.

Blount's testimony comes a day after the Justice Department revealed it had recovered the majority of the $4.4 million ransom paid to the hackers, the Associated Press reported.

During his testimony, the Senate panel asked Blount what would've happened if his company didn't pay the hackers.

He responded, "That’s an unknown we probably don’t want to know. And it’s an unknown we probably don’t want to play out in a public forum.”

According to the AP, Colonial Pipeline negotiated with the hackers on May 7, the day of the attack, and then agreed to pay them a ransom of 75 bitcoin.

ABC News reported that Ohio Sen. Rob Portman asked Blount why the company would pay the ransom because according to the FBI website, the agency discourages paying a ransom in response to a ransomware attack. After all, it doesn’t guarantee they would recover the data stolen.

Blount responded that the company saw paying it would allow the flow of fuel to resume.

In his opening statement, Blount said paying the hackers "was the hardest decision."

"I made the decision to pay and I made the decision to keep the information about the payment as confidential as possible," Blount said. "It was the hardest decision I have ever made in my 39 years in the energy industry and I know how critical our pipeline is to the country and I put the interest of the country first."

A second hearing is set for Wednesday before the House Homeland Security Committee.

The pandemic slammed businesses, including health care systems. On top of the stress of COVID-19, they also saw more cybersecurity attacks.

“Health care has always been a target, but it tremendously just blew up when the pandemic started,” said Angela Kobel, Chief Financial Officer of Lincoln Health in Hugo, Colorado.

She’s talking about cybersecurity. As the pandemic stressed health care systems, the industry also saw more attempted cyberattacks.

“A lot of our employees were working remotely as we closed the hospital down, which made us vulnerable,” Kobel said. “Everybody was so busy fighting COVID and trying to figure out what was happening with COVID that we didn't have the resources to put towards IT security.”

Hospitals are at a higher risk for attacks. Many of us have personal, private information shared with our doctors, often stored digitally. So for the past few years, Lincoln Health has used a third-party company to manage its IT system. That’s where Lance Goudzwaard with ReliableIT comes in.

“Health care organizations, they need to be very careful with that information. And I'll tell you the value of each of these records is very high. It's scary to think how much a hacker can sell one record for,” said Lance Goudzwaard, Virtual CIO at ReliableIT.

And hacking is getting easier.

“My 15-year-old daughter could go to the internet and download instructions on how to hack a lot of health care systems,” Goudzwaard said.

“It's incredibly easy to find and use hacking tools, and there are services you can outsource all of this too, if you want to,” cybersecurity expert Nathan Evans said.

It’s not just hospitals that are seeing these data breaches and ransomware attacks. Earlier this year, a cyberattack on the Colonial Pipeline caused a disruption in fuel transportation, leading to gas shortages in the southeastern U.S.

And JBA USA, a large meat supplier, recently announced it too was targeted by a cybersecurity attack. There are more that go unreported, as there aren’t regulations in place in most industries to report these incidents.

“The health care sector and financial sector have government requirements to report when they actually get breached,” said Nathan Evans, an assistant teaching professor at the University of Denver.

So what does all of this mean for your data, and your accounts? Evans said part of it is trust in the organization you give your information to.

“There's not really anything we can do on an individual basis to protect our medical information. There are HIPAA guidelines that require you to, if you're handling patient data, to encrypt it and make sure it's protected when it’s in transit or in storage,” Evans said.

Another safety net you can control is enabling two-factor authentication for your accounts.

“Two-factor authentication is combining something you know, which would be like a password, with something physical, so either your cell phone or a hardware key device,” he said. “The idea is that if an attacker gets just your password, they won't be able to log into your account because they won't have this second factor.”

It all boils down to education.

“The more we are aware of these common exploits, the better job we’re going to do at preventing them,” Goudzwaard said.

He said they are able to educate employees about common attacks and tools they can use to monitor themselves, especially with e-mails where many hackers can pose as co-workers, clients, or vendors.

“We’ve definitely become more aware,” Kobel said.

The world's largest meat processing company has resumed most production after a weekend cyberattack, but experts say the vulnerabilities exposed by this attack and others are far from resolved.

In a statement late Wednesday, the FBI attributed the attack on Brazil-based meat processor JBS SA to REvil, also known as Sodinokibi, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months. The FBI said it will work to bring the group to justice and it urged anyone who is the victim of a cyberattack to contact the bureau immediately.

President Joe Biden will talk with Russia's president about the cyberattack.

White House Press Secretary Jen Psaki said Wednesday the JBS hack was expected to be discussed at a mid-June summit with Russian President Vladimir Putin.

She was also asked how the U.S. could respond to this attack.

"We are not taking any options off the table in terms of how we may respond," Psaki said. "But, of course, there is an internal policy review process to consider that. We are in direct touch with the Russians as well to convey our concerns about these reports."

REvil has not posted anything related to the hack on its dark web site. But that's not unusual. Ransomware syndicates as a rule don't post about attacks when they are in initial negotiations with victims — or if the victims have paid a ransom.

In October, a REvil representative who goes by the handle "UNKN" said in an interview published online that the agriculture sector would now be a main target for the syndicate. REvil also threatened to auction off sensitive stolen data from victims who refused to pay it.

The attack targeted servers supporting JBS's operations in North America and Australia. Backup servers weren't affected and the company said it was not aware of any customer, supplier or employee data being compromised.

JBS said late Tuesday that it had made "significant progress" and expected the "vast majority" of its plants to be operating Wednesday.

It is not known if JBS paid a ransom. The company hasn't discussed it in public statements, and did not respond to phone and email messages Wednesday seeking comment.

The FBI and the White House declined to comment on the ransom. White House Press Secretary Jen Psaki said Wednesday the U.S. is considering all options in dealing with the attack.

"I can assure you that we are raising this through the highest levels of the U.S. government," she said.

Ransomware expert Allan Liska of the cybersecurity firm Recorded Future said JBS was the largest food manufacturer yet to be attacked. But he said at least 40 food companies have been targeted by hackers over the last year, including brewer Molson Coors and E & J Gallo Winery.

Food companies, Liska said, are at "about the same level of security as manufacturing and shipping. Which is to say, not very."

The attack was the second in a month on critical U.S. infrastructure. Earlier in May, hackers shut down operation of the Colonial Pipeline, the largest U.S. fuel pipeline, for nearly a week. The closure sparked long lines and panic buying at gas stations across the Southeast. Colonial Pipeline confirmed it paid $4.4 million to the hackers.

Cybersecurity experts said the attacks targeting critical sectors of the U.S. economy are evidence that industry hasn't been taking years of repeated warnings seriously.

Cybercriminals previously active in online ID theft and bank fraud moved into ransomware in the mid-2010s as programmers developed sophisticated programs that permitted the software's more efficient dissemination.

The ransomware scourge reached epidemic dimensions last year. The firm CrowdStrike observed over 1,400 ransomware and data extortion incidents in 2020. Most targeted manufacturing, industrials, engineering and technology companies, said Adam Meyers, the company's vice president of intelligence.

"The problem has been spiraling out of control," said John Hultquist, who heads intelligence analysis at FireEye. "We're already deep into a vicious cycle."

Hultquist said ransomware syndicates are going after more critical and visible targets because they've invested heavily in identifying "whales" - companies they think will yield big ransoms.

JBS is the second-largest producer of beef, pork and chicken in the U.S. If it were to shut down for even one day, the U.S. would lose almost a quarter of its beef-processing capacity, or the equivalent of 20,000 beef cows, according to Trey Malone, an assistant professor of agriculture at Michigan State University.

Mark Jordan, who follows the meat industry as the executive director of Leap Market Analytics, said the disruption to the food supply will likely be minimal in this case. Meat has around a 14-day window to move through the market, he said. If a plant is closed for a day or two, companies can usually make up for lost production with extra shifts.

"Several plants owned by a major meatpacker going offline for a couple of days is a major headache, but it is manageable assuming it doesn't extend much beyond that," he said.

Jordan said a closure that runs closer to a week would be more serious, especially for a company like JBS, which controls around one-fifth of the country's beef, pork and chicken supply.

Critical U.S. infrastructure might be better hardened against ransomware attacks were it not for the 2012 defeat of legislation that would have set cybersecurity standards for critical industries.

The U.S. Chamber of Commerce and other business groups lobbied hard against the bill, condemning it as government interference in the free market. Even a watered-down version that would have made the standards voluntary was blocked by a Republican filibuster in the Senate.

Right now, the U.S. has no cybersecurity requirements for companies outside of the electric, nuclear and banking systems, said David White, president of the cyber risk management company Axio.

White said regulations would help, particularly for companies with inadequate or immature cybersecurity programs. Those rules should be sector-specific and should consider the national economic risks of outages, he said.

But he said regulations can also have an unintentional negative effect. Some companies might consider them the ceiling — not the starting point — for how they need to manage risk, he said.

"Bottom line: regulation can help, but it is not the panacea,"' White said.

JBS plants in Australia resumed limited operations Wednesday in New South Wales and Victoria states, Agriculture Minister David Littleproud said. The company hoped to resume work in Queensland state on Thursday, he said.

JBS, which is a majority shareholder of Pilgrim's Pride, didn't say which of its 84 U.S. facilities were closed Monday and Tuesday because of the attack. It said JBS USA and Pilgrim's were able to ship meat from nearly all facilities Tuesday. Several of the company's pork, poultry and prepared foods plants were operational Tuesday and its Canada beef facility resumed production, it said.

The plant closures reflect the reality that modern meat processing is heavily automated, for both food- and worker-safety reasons. Computers collect data at multiple stages of the production process; orders, billing, shipping and other functions are all electronic.

___

Bajak reported from Boston. AP Writers Rod McGuirk in Canberra, Australia; Alan Suderman in Richmond, Virginia; and Nancy Benac, Eric Tucker and Alexandra Jaffe in Washington contributed to this report.

The Transportation Security Administration is expected to issue new cybersecurity measures this week aimed at the pipeline industry for the first time.

The new rules will apply to U.S. pipeline operators and follow the ransomware attack against one of the country's largest, Colonial Pipeline, earlier this month. The attack resulted in a disruption to fuel supply on the entire east coast for nearly two weeks.

Pipeline companies would be required to report cyber incidents to the federal government as soon as possible.

They will also reportedly be asked to review their security system to determine any weaknesses or risks.

The rules are coming from the TSA, which operates under the Department of Homeland Security. The Washington Post reports a security directive is expected this week, and more rules will be released in the coming weeks.

This is the first time such rules will be issued for the pipeline industry. Previously, there were voluntary guidelines.

Alex Livingston and Robin Dich contributed to this report

The Colonial Pipeline launched the restart of its operations Wednesday evening following a six-day shutdown caused by a ransomware attack, but the pipeline's operators warned it will take several days for service to return to normal.

"Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period," the pipeline company said in a statement.

The Colonial Pipeline will move as much gasoline, diesel and jet fuel "as is safely possible and will continue to do so until markets return to normal," the company said.

The restart can't come soon enough. The shutdown sparked panic-buying and hoarding that has overwhelmed gas stations in the Southeast. A significant percentage of gas stations in Virginia, Georgia, North Carolina and South Carolina are without fuel, according to GasBuddy, which tracks fuel demand, prices and outages.

The Colonial Pipeline took itself offline Friday after suffering a ransomware attack. The 5,500-mile pipeline is responsible for carrying fuel from refineries along the Gulf Coast to New Jersey. It provides nearly half the gasoline and diesel consumed by the East Coast, making it perhaps America's most important pipeline.

Oil industry executives warned Wednesday that gas hoarding by Americans during the shutdown of the Colonial Pipeline is worsening the supply crunch.

"This situation is now being exacerbated by panic buying and hoarding," Frank Macchiarola, an executive at the American Petroleum Institute, said during a press briefing.

Executives also called on the White House to grant waivers that would allow foreign ships to send fuel to the East Coast to meet skyrocketing demand following the shutdown of the Colonial Pipeline.

The restart should begin to help ease the shortages.

"It means the worst is over in terms of the hysteria that I've called GuzzleGate," Tom Kloza, global head of energy analysis at the Oil Price Information Service, told CNN Business in an email.

Kloza said the first priority is to restart Line 1, which pumps gasoline from Texas and Louisiana to Greensboro, North Carolina.

"The crest of the outages comes perhaps tomorrow or Friday," said Kloza, adding Friday is always the busiest day of the week for gasoline sales.

While the shortage should resolve fairly quickly, "motorists could help the situation by holding off for a day or two to let stations refuel faster," Patrick De Haan, head of petroleum analysis at GasBuddy, said in an email.

"Now finally Americans can have some peace of mind that gasoline, diesel and jet fuel will begin flowing to affected areas once again," De Haan said.

Still, the issue won't resolve immediately.

"The restarting of the Colonial Pipeline is the beginning of the end of the crisis, not the end of the end of the supply crunch," Michael Tran, managing director of global energy strategy for RBC Capital Markets, said in an email. "With an operational pipeline, the race to logistically replenish regional and localized gas stations is the next step."

As the Colonial Pipeline starts to resume service, "our primary focus remains safety," the company said in its Wednesday statement.

"As part of this startup process, Colonial will conduct a comprehensive series of pipeline safety assessments in compliance with all Federal pipeline safety requirements," it said.

The company also expressed thanks to the White House for its "leadership and collaboration," along with the Department of Energy, Federal Bureau of Investigation and other government agencies.

In recent days, Biden administration officials privately voiced frustration with what they see as Colonial Pipeline's weak security protocols and a lack of preparation that could have allowed the ransomware group DarkSide to carry out the attack, officials familiar with the government's initial investigation into the incident told CNN Tuesday.

In the weeks leading up to the attack, Colonial Pipeline had been looking to hire a cybersecurity manager.

In the wake of the attack, cybersecurity experts said, Colonial likely took all of its systems offline in order to isolate what the bad actors had accessed and ensure they weren't able to move into other parts of the company's network.

People briefed on the matter also told CNN that the company halted operations because its billing system was compromised and they were concerned they wouldn't be able to determine how much to bill customers for fuel they received.

One person familiar with the response said the billing system is central to the unfettered operation of the pipeline. That is part of the reason getting it back up and running has taken time, this person said.