Saudi Aramco Data Breach Highlights Risks to Oil and Gas Industry

Saudi Aramco Leak

On June 23, 2021, a threat actor on Raid Forums, a forum that hosts discussions on database leaks, claimed that they had a one terabyte information leak from Saudi Arabia’s state-owned oil company Saudi Aramco. The threat actor, who didn’t have a substantial history on the forum, posted a link to an onion “leak site” as proof of their access. 

Unlike previously reported extortion events, this incident did not include the use of ransomware. The victim organization had no disruption to their operations and had no way to immediately verify if data was, in fact, compromised. With ransomware, threat actors will typically receive payment solely from the victim organization. However, Saudi Aramco’s data was made available to whoever was willing to pay $5 million USD in Monero. To guarantee that the data was not leaked elsewhere, Aramco would need to pay $50 million USD in Monero. 

On July 21, 2021, Saudi Aramco acknowledged that the data had been accessed through a third-party contractor, and not through their systems. Aramco did not disclose the source of the leak or further details regarding the data. Aramco said the leak did not affect their operations.

At this time, the leak site is no longer available, indicating that the data had been wiped or paid, or that the leak site was taken down through a distributed denial-of service attack. On July 15, 2021, the same threat actor group posted another cache of compromised data reportedly from an Israeli biotechnology and pharmaceuticals company. 

Targeting Oil and Gas

While the intentions of the threat actor were most likely financial, we cannot assess if there was a strategic objective in targeting Saudi Arabia’s state-owned oil company. Saudi Aramco has previously been targeted with large-scale cyberattacks. In 2012, a malicious Iranian wiper malware dubbed “Shamoon” overwrote 35,000 Aramco Windows-based workstations. An Iranian advanced persistent threat group is suspected of responsibility for that incident. 

Recent high-profile ransomware incidents like the Colonial Pipeline cyber attack have highlighted potential impacts with disruption to oil and gas infrastructure. The pipeline was taken down as part of the incident response to prevent further compromise. Analysts have observed at least seven other ransomware incidents targeting the energy sector in the United States, the Middle East, and Mexico. 

Some of the earliest attacks against oil and gas infrastructure pre-dates the term “cyber.” One of the most notable incidents, dubbed “the Farewell dossier” involves a counter-intelligence operation against the Soviet Union resulting in the explosion of the trans-Siberian pipeline through faulty computer chips.

A recent advisory from the Cybersecurity & Infrastructure Security Agency (CISA) highlighted a campaign targeting 23 US natural gas pipeline operators from 2011 to 2013. According to the advisory, China state-sponsored adversaries were gathering sensitive information to “physically damage” or “disrupt pipeline operations.” 

Because of the mounting risks to energy infrastructure, on May 27, 2021, the Department of Homeland Security announced cybersecurity requirements for pipeline owners and operators. The requirements include various measures to increase the cybersecurity posture of pipeline infrastructure. 

As noted from the previously highlighted incidents, threats to oil and gas could come from third-party compromise, like Saudi Aramco, and result in data loss. Other incidents, like Colonial Pipeline, could be the result of ransomware operators. Attacks to oil and gas could range from cybercriminals to state-sponsored adversaries. Despite the source, the potential outcome from a cyber incident at oil & gas could be disruptive.

Access the Data Needed to Track and Analyze Critical Events

The data above was discovered directly through analyst research in the Flashpoint platform. Sign up for a free trial. See firsthand how Flashpoint can help you and your organization access the most critical information affecting your industry and the security community.