Posted on July 21, 2021 at 6:18 PM
A recent report reveals that threat actors have put the data of Saudi Arabian oil company, Aramco, on the darknet for $5 million.
The company stated that the data breach came from third-party contractors, stating that the hacking situation does not affect the operations of Aramco.
The attack has also been ruled out as a ransomware attack, as both the Zerox hacking group and the oil company have confirmed that it’s not a ransomware incident.
1TB of data stolen
The threat actors connected to the hacking incident admitted that they stole the data from the organization last year, and some of them contain details that date back to 1993.
Some of the stolen files were initially uploaded on the darknet forum last month to advertise the availability of such data The sampled files contain proprietary documents such as personally identifiable information (PII).
The Dhahran-based public oil company is one of the largest firms in the world when it comes to generated revenue. In 2020, it hit annual sales of $230 billion. It also has the largest daily oil production of oil companies and has the second-largest crude oil reserve (about 43 billion cubic meters).
The hacking report revealed that the threat actors stole about 1 TB of data from the company. Although they have offered the entire data for $5 million, the hackers say they are willing to negotiate with serious buyers.
ZeroX hackers say they did not encrypt the data, which is common with most ransomware attacks.
As is the case will other breaches, the threat actors usually take the second option of selling their loot on a hacking forum if the victims of their hack refused to pay a ransom for the data.
The Zerox hackers stated that they contacted the company to notify them of the breach but they didn’t demand any ransomware payment.
Attackers possibly used zero-day exploits
The threat actor did not provide many details about how the data was stolen or which technique was deployed. But based on their slight explanation, it could be possibly a “Zero-day exploit.”
The threat actors, who are named ZeroX, released the sample containing the blueprint and editing personal information.
But when ZeroX posted on the forum, the .onion data leak site indicated a countdown timer that was set 662 hours. It shows that the negotiations and sale of the data will start at the end of the 28-day timer.
The group stated that they chose to use 662 as a puzzle and it was intended for the company to solve. However, the main reason behind the choice is not clear.
The hackers also stated that the 1 TB dump has data of over 14,000 staff, including their name, number, ID number, residence permit card, email, and passport photo.
Apart from the personal information of staff, the info also contains contract details, invoices, a list of Aramco clients, location maps with accurate coordinates, network layouts, internal analysis reports, as well as project specifications.
Based on the sample the gang published on the darknet forum, the personal information (PI) has been edited, and the 1 GB sample costs $2,000, as indicated by the group. They also stated that interested persons should pay using Monero (XRM).
Aramco says the breach has no impact on the operation
This is not the first time Saudi Aramco has been involved in a data breach. In 2012, threat actors used the Shamoon malware to cripple virtually every computer system at the firm. A similar incident occurred in 2018 when a variant of the Shamoon malware was seen in some of the company’s systems.
Based on reports, ZeroX threat actors are already negotiating with 5 clients who are interested in the data.
Saudi Aramco claims the threat actors did not exploit its systems directly, but via a third party. Aramco has also discovered a release of some data in possession by a third-party contractor.
However, Aramco assured clients that its services are fully functional and the data breach incident will not cause any disruption in its services.
“We confirm that the release of data has no impact on our operations,” the oil company told Bleeping Computer.