Middle East Oil Giants Grapple With Cyberattacks

2021/07/26 16:45
Middle East Oil Giants Grapple With Cyberattacks

As the global oil and gas markets are recovering from the steep sell-off last Monday, threats in the market are not just linked to demand-supply concerns. Cybersecurity specialists reported this week that hackers managed to get access to a large amount of data from Saudi oil giant Aramco. The company has confirmed that around 1TB of (confidential) data was stolen from its servers. According to AP sources, the data has been put on offer on the darknet for a price of $50 million.

It is at present still unknown who is behind the data theft, but some are also worried about the fact that no additional information is being given by the parties involved. The world’s largest listed oil company Aramco has been targeted by cyberattacks on a regular basis, such as the well-known Iran-instigated Shamoon virus attacks. This most recent attack on Aramco, shows that there remains a lot of work to be done to protect the oil giant against future data breaches, ransomware attacks, and industrial espionage. The Aramco data breach shows again the threat to energy supply comes not just from drone and missile attacks, but also from cyberattacks.

Since the Shamoon attack, which brought a large part of the Saudi giant to a standstill, major cybersecurity programs have been proposed and implemented by the Saudis. However, even a trillion-dollar company seems to be unable to fully protect its digital infrastructure. 

For financial stakeholders, the current situation is of course of interest. Saudi Aramco is implementing a major company restructuring strategy, focusing on mid-and downstream assets. The 1TB data breach is linked according to sources especially to downstream assets and operations. Potential pressure from this ‘third party contractor breach” on divestments or privatization plans, such as the Aramco pipeline project, should be not dismissed straight away. If the available data is much more in detail, especially on price settings or financial strategies, the damage could be much larger than currently presented in the press.

Sources are stating that “Zero-day exploitation" has been used to get access to servers. The data is now being offered by a threat actor group known as ZeroX . In statements made by ZeroX, the 1TB of data has been stolen in 2020 by hacking Aramco's "network and its servers". The total data includes files from 1993 to 2020. On the darknet and other sites on the internet, ZeroX has posted samples of Aramco's blueprints and proprietary documents. The first data was already posted on a data breach marketplace forum in June this year:

The total data set, based on the initial posting on the so-called .onion leak site had a countdown timer set to 662 hours, or about 28 days, after which the sale and negotiations would begin. While it’s not exactly clear why the hackers went with a 662 hour deadline, but ZeroX reportedly has said that the choice of "662 hours," was intentional and a "puzzle" for Saudi Aramco to solve, but the exact reason behind the choice remains unclear. In an info piece, ZeroX has also stated that the 1TB dump includes documents linked to Saudi Aramco's refineries located in multiple Saudi Arabian cities, including Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, and Dhahran. Some other info shows that it includes:

  1. Full information on 14,254 employees: name, photo, passport copy, email, phone number, residence permit (Iqama card) number, job title, ID numbers, family information, etc.

  2. Project specification for systems related to/including electrical/power, architectural, engineering, civil, construction management, environmental, machinery, vessels, telecom, etc.

  3. Internal analysis reports, agreements, letters, pricing sheets, etc.

  4. Network layout mapping out the IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices.

  5. Location map and precise coordinates.

  6. List of Aramco's clients, along with invoices and contracts.

BleepingComputer reports that samples released by ZeroX on the leak site have personally identifiable information (PII) redacted, and a 1 GB sample alone costs US$2,000, paid through the cryptocurrency Monero (XMR). ZeroX also has stated that the price of the entire 1 TB dump is set at US$5 million if a party wants the exclusive rights for a one-off sale (i.e. obtain the complete 1 TB dump and demand it be wiped completely from ZeroX's end) it needs to pay a whopping US$50 million.

All parties, including ZeroX and Aramco, have reiterated that the incident is not a ransomware attack. Aramco has repeated that the breach happened at third-party contractors and that Aramco’s systems were not directly involved. A company spokesman repeated that the company continues to maintain a robust cybersecurity posture. Looking at the 2012 Shamoon attack, which destroyed 30,000 computer hard drives of Aramco, the current breach is less dangerous. Still, when looking at recent global ransomware and other cyber-related attacks, such as the Colonial Pipeline or European supermarkets, the threat to Aramco, and possibly other Arab national oil companies is real. 

Some also have stated that the ZeroX attack is a first of maybe a list of upcoming cyber attacks on Aramco. Even though the current data breach was executed through third-party contractors, it shows that hackers managed to find loopholes in the cybersecurity systems of oil and gas companies. 

Analysts will be scratching their heads in the coming months on how to deal with and prevent these data breaches or Shamoon 2.0 ransomware attacks. The current digitalization of oil and gas, including upstream, down- and midstream operations is not only a positive development. The huge amount of sensors, datapoints, information-gathering operations, and real-time monitoring, in principle to lower costs and increase profit margins, has become a weak spot for companies. As cyber warfare strategies of global and regional powers are advancing, attacks could become a lot more sophisticated and the oil and gas industry is expected to remain a key target.

Additionally, one should take statements about cybersecurity by government or company officials in the Middle East with a pinch of salt. No company or government official will ever show the back of his tongue when asked to comment. If the 2012 Shamoon case is a baseline for assessments and the discrepancies between official statements and reality, the current situation could be much worse than expected.