Saudi Aramco’s Data Breach with a 28 Day Puzzle Twist

The world’s most valuable oil producer has confirmed the data breach of 1TB or 1,000 gigabytes of proprietary company data. The Saudi Arabian Oil Company, well-known as Saudi Aramco, is one of the greatest public petroleum and natural gas companies, with a multi-national team of more than 70,000 people and brings in almost $230 billion in annual revenue.

Saudi Aramco’s data up for sale, includes documents pertaining to Saudi Aramco refineries, personal information about more than 14,000 employees, project specifications for systems, pricing sheets and internal analyses, as well as security-related information including IP addresses, Wi-Fi access points, and IoT devices.

“We confirm that the release of data has no impact on our operations, and the company continues to maintain a robust cybersecurity posture,” Aramco told BleepingComputer via a spokesperson.

As reported, at some point last year, the hackers behind the breach did not manage to infiltrate the network and systems of the Saudi Arabian Oil Company but rather those of third-party contractors working for the company and called it “zero-day exploitation.”  The threat actors, identified as ZeroX, and Aramco both reported this data breach was not ransomware or any other kind of an extortion attack. Instead the group is selling off the data for $5m, though it is also open to doing an exclusive, one-off sale in which it provides all of the data and deletes it from its systems for $50m.

ZeroX published some limited fragments of Saudi Aramco’s data which included blueprints and proprietary documents from the company with personally identifiable information (PII) redacted to a Dark Web forum back in June, to generate intrigue for the impending exchange. In conjunction, a countdown timer was set to 662 hours. Once this 28-day deadline occurs, the sale and negotiations for the data will launch. In a statement to BleepingComputer, ZeroX said that it intentionally chose “662 hours” as part of a “puzzle” for Saudi Aramco to solve or simply established as bait for prospective buyers.  But the exact reason still remains unclear.

In 2012, Aramco was the target of an attack with the Shamoon computer virus which forced the giant to shut down its network and destroy 30,000 computers. Another virus was transmitted across the kingdom and breached computers at Sadara in 2017, a partnership between Aramco and Michigan-based Dow Chemical Co. But the upsurge in cyberattacks on the global energy industry with Colonial Pipeline being most exposed just a short time ago has companies reevaluating security spending.

“For Aramco and its 3rd party suppliers this should be seen as a reminder that preventive tools alone will not provide for a resilient cyber security posture (or even a robust one), actively detecting signs of breach by controlling any and all suspicious activities in your infrastructure, controlling what changes and which of these changes is malicious is even more important nowadays.” a statement from Dirk Schrader, Global VP of Security Research, NNT, now part of Netwrix.


About Author