72 Threat Actors Are Targeting Your Food Supply Chain - What Houston Businesses Need to Know

The Food and Ag-ISAC used its Predictive Adversary Scoring System (PASS) to evaluate over 330 threat actors and flag the 72 that pose the most immediate risk to food and agriculture operations. The scoring factors in activity level, frequency of sector targeting, technical capabilities, and demonstrated intent.

The geographic breakdown tells you everything about the geopolitical motivations behind these attacks:

• Russia - 59.3% of observed adversary activity. The majority of Russian-linked threats come from ransomware operators who sit beyond the reach of Western law enforcement. Indictments rarely result in arrests. Russia also runs active nation-state groups with a specific focus on food and agriculture infrastructure.
• China - 25.4% of observed adversary activity. China's interest in the sector is heavily focused on intellectual property theft - seed genetics, agricultural biotechnology, trade secrets from food processing operations. This is long-term strategic espionage, not smash-and-grab ransomware.
• Remaining 15%+ from other nation-states and cybercriminal groups. Hacktivist groups account for about 4% of observed actors, while additional financially motivated cybercriminal groups make up the rest.

Source: Food and Ag-ISAC, The 2025 Food and Agriculture Cyber Threat Report

Among the top PASS scorers: APT18, a China-linked nation-state actor, scored 75 out of 100. Akira, one of the most active ransomware groups in the sector, scored 73. Adversaries with scores this high represent persistent, high-capability threats that don't go away when you patch one vulnerability. They adapt and come back through a different door.

The report also breaks down the type of actors by category. Ransomware groups make up over half of all threat actors observed in the food and ag sector. Cybercriminal groups account for another 15%. The rest are nation-state operators and hacktivists - and the nation-state actors tend to be the quietest and most patient.

In partnership with the IT-ISAC, the Food and Ag-ISAC tracked 6,377 ransomware incidents across all critical infrastructure sectors in 2025 - an 82% increase over the 3,508 cases recorded in 2024. Since they began monitoring in 2020, the joint initiative has now documented more than 15,265 ransomware attacks.

Food and agriculture specifically took 265 hits in 2025, representing 4.2% of total ransomware volume. The five groups leading the charge against the sector were Qilin, Akira, CL0P, Play, and Lynx - together responsible for nearly 50% of all recorded incidents targeting food and ag.

CL0P stands out as a partial exception to the typical "spray and pray" model. At 9.3% of its total attacks directed at food and ag, it's targeting the sector at more than double the average rate across all groups - which suggests some degree of intentional focus on food supply chain businesses.

Source: Food and Ag-ISAC, The 2025 Food and Agriculture Cyber Threat Report

The PASS analysis revealed clear patterns in how these 72 threat actors operate. The percentages below represent how frequently each tactic appears across the monitored adversaries:

• Living off the Land (LOTL) - 90% of adversaries. Attackers use tools already present on your systems - PowerShell, Windows Management Instrumentation, remote desktop protocols. Because they're using legitimate software, traditional antivirus often misses the activity entirely.
• Targeted spear-phishing - 83% of adversaries. Not the clumsy mass phishing emails of a few years ago. These are researched, customized messages targeting specific individuals inside your organization - often an accounts payable clerk, an operations manager, or someone with VPN credentials.
• Custom malware development - 80% of adversaries. Threat actors are building purpose-built tools designed to bypass your specific security stack. Off-the-shelf security solutions alone won't catch these.
• Stealthy exfiltration and persistence - 70% of adversaries. Once inside, they stay quiet. They establish persistence mechanisms that survive reboots and patches, then slowly siphon data out over weeks or months before anyone notices.
• Data encryption for impact - 65% of adversaries. The classic ransomware play - encrypt everything and demand payment. But increasingly, groups are skipping encryption entirely and going straight to data theft with extortion threats.
• Zero-day exploitation - 42% of adversaries. Nearly half of these groups have demonstrated the ability to exploit vulnerabilities that have no available patch. That's a high-capability indicator.

Source: Food and Ag-ISAC, The 2025 Food and Agriculture Cyber Threat Report

The shift toward double extortion deserves special attention. Even if you have good backups and can restore your systems, the attackers still hold your stolen data. Client records, employee information, proprietary formulations, distribution contracts - all of it becomes a negotiation chip. We see this pattern at least twice a month with Houston-area businesses across different industries.

These aren't theoretical risks. The past two years have produced a steady stream of real incidents that show exactly what happens when a food supply chain company gets hit:

• United Natural Foods (UNFI): A cyberattack caused roughly $400 million in supply chain disruption for one of the largest grocery wholesalers in North America. That single incident affected store shelves across multiple states.
• Coca-Cola (2025): The Everest ransomware group claimed to have stolen over 23 million internal messages from the company's systems.
• Ahold Delhaize (November 2024): A ransomware attack on one of the world's largest food retail groups disrupted supply chain and delivery operations across the U.S.
• Stop & Shop (November 2024): A cybersecurity incident caused shortages of fresh produce, meat, and dairy products in several states.
• Blue Yonder (November 2024): An attack on this supply chain technology provider cascaded to clients including Starbucks, Morrisons, and Sainsbury's - a textbook example of how hitting one supplier can take out hundreds of downstream operations.

The food and agriculture sector represents roughly one-fifth of the U.S. economy. When a food producer goes offline, the effects aren't contained to one company. Products don't get made. Trucks don't get loaded. Shelves don't get stocked. The just-in-time delivery model that makes the food supply chain efficient also makes it extremely fragile when any link gets disrupted.

The report doesn't just look backward. The Food and Ag-ISAC's 2026 outlook identifies several shifts that will increase pressure on the sector:

• Ransomware group fragmentation. The big-brand ransomware operations (LockBit, BlackCat/ALPHV) that dominated 2023-2024 have splintered into smaller, more agile cells. These groups have shorter lifespans, making them harder for law enforcement to track and dismantle. When one goes down, three more pop up.
• DDoS layered on top of ransomware. Attackers are adding distributed denial-of-service attacks to their playbook. Even if you can restore from backups and avoid paying the ransom, a sustained DDoS attack can keep your customer portals, logistics APIs, and ordering systems offline - forcing you back to the negotiating table.
• Hypervisor and SaaS targeting. Expect continued attacks on VMware ESXi and other hypervisors, as well as SaaS providers used by food companies. One successful attack on the underlying infrastructure can take down hundreds of victim networks simultaneously.
• AI-powered social engineering. Deepfake voice and video technology is already being used to impersonate executives and IT staff. In 2026, expect hyper-realistic voice clones of CEOs requesting urgent wire transfers or IT directors instructing employees to disable security controls.

The Farm and Food Cybersecurity Act (H.R. 7062) is working its way through Congress, which would direct CISA to deliver vulnerability assessments for the sector every two years and run annual cross-sector simulation exercises. That's a start, but legislation moves slowly. The threats documented in this report are active right now.

In 30+ years of managing IT systems for businesses across multiple industries, the pattern we see most often is companies that don't realize they're exposed until after an incident. The threats described in this report - living off the land techniques, targeted spear-phishing, data exfiltration - require proactive detection, not reactive response. CinchOps provides the managed IT support and cybersecurity monitoring that food supply chain businesses in Katy, Houston, Sugar Land, and Cypress need to stay ahead of these threats.

• 24/7 Endpoint Detection and Response (EDR): Behavioral monitoring that catches living-off-the-land attacks - not just known malware signatures. When PowerShell starts behaving unusually at 2 AM, we see it.
• Phishing Simulation and Security Awareness Training: 83% of these threat actors use spear-phishing. Your employees are the first line of defense, and we help make sure they know what to look for.
• Vulnerability Assessment and Patch Management: Exposed systems are how 42% of these groups get in. We identify and close those gaps before the scanners find you.
• Business Continuity and Disaster Recovery Planning: When a ransomware attack hits, the question is how fast you recover - not if. CinchOps builds business continuity plans that include air-gapped backups, tested recovery procedures, and defined SLAs.
• Network Security and Segmentation: If an attacker gets into one system, microsegmentation prevents them from moving laterally through your entire network. This is especially important for businesses running OT/ICS systems alongside standard IT infrastructure.
• Incident Response Planning: We build and test incident response plans before you need them - including tabletop exercises that simulate the exact scenarios this report describes.

The food supply chain is critical infrastructure. If your business touches it - whether you're a manufacturer, distributor, cold storage operator, or food processor - the threats in this report apply to you. Don't wait for an incident to find out where your gaps are.