Attackers stole 1 TB of confidential data from the Saudi Arabian Oil Company, the national oil company of Saudi Arabia, which is now being sold on the darknet.
Interestingly, this time the leak was not due to a ransomware attack. Saudi Aramco attributes this incident to a leak from one of the third-party contractors and reports that the incident did not affect the company’s operations.
The information was put up for sale by the hack group ZeroX. Attackers are offering Saudi Aramco data for a price starting at $ 5,000,000 and claiming that the files were stolen by hacking into the company’s network and servers sometime in 2020. Thus, the files in the dump are mostly dated 2020, although there is information dating back to 1993.
When reporters asked the hackers exactly how they hacked the company, ZeroX did not answer anything specific, only mentioned a certain 0-day exploit.
To grab the attention of potential buyers, in June the attackers released some of Aramco’s blueprints and patent documents with revised personal information to the public. After that, a countdown of 662 hours (approximately 28 days) was started on the leak’s website, after which the sale of data was to begin. ZeroX says “662 hours” is a mystery and a hint that only Saudi Aramco will understand.
The hack group says their dump contains documents relating to Saudi Aramco’s refineries located in several cities in Saudi Arabia, including Yanbu, Jizan, Jeddah, Ras Tanura, Riyadh and Dhahran. The leak also contains the following data.
- Complete information about 14,254 employees of the company: name, photo, passport copy, email address, telephone number, residence permit number (Iqama card), position, ID numbers, family information and so on.
- Design specifications for systems related to electricity, architecture, construction, management, environmental protection, telecommunications, and so on.
- Internal analytical reports, agreements, letters, price lists, etc.
- Network diagram containing IP addresses, Scada points, Wi-Fi hotspots, IP cameras and IoT devices.
- Maps with precise coordinates.
- List of Saudi Aramco clients along with invoices and contracts.
Interestingly, for a 1 GB sample of data, the criminals are asking for $ 2,000, paid in Monero (XMR) cryptocurrency. As mentioned above, the cybercriminals estimate the entire dump at at least $ 5,000,000. Moreover, this is only the initial cost. For example, if a buyer appears, hoping for an exclusive one-time sale (to receive a full dump, which will then be completely removed by ZeroX), he will have to pay about $ 50,000,000.
ZeroX claims to have already negotiated the sale with five buyers.
Journalists report that contrary to rumors circulating on the Internet, this leak is not related to a ransomware attack. Representatives of Saudi Aramco also confirmed to Bleeping Computer that there was no ransomware attack. It is reported that the data breach occurred at one of the third-party contractors:
“Recently, Aramco became aware of an indirect leak of a limited amount of company data that belonged to third-party contractors. We confirm that the publication of this data does not affect our operations, and the company continues to have a strong position in the field of cybersecurity, ”says Saudi Aramco.
The publication notes that the attackers tried to contact Saudi Aramco to notify the company of the hack, but received no response. Also, the hackers did not try to arrange a ransomware attack after gaining access to the company’s networks (which they allegedly had), which also casts doubt on the timer discussed above. It looks like the back report is just a bait for potential buyers to draw attention to the sale of data.