[BreachExchange] Saudi Aramco data breach sees 1 TB stolen data for sale

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Mon Jul 19 13:48:34 EDT 2021 

https://www.bleepingcomputer.com/news/security/saudi-aramco-data-breach-sees-1-tb-stolen-data-for-sale/

Attackers have stolen 1 TB of proprietary data belonging to Saudi Aramco
and are offering it for sale on the darknet.

The Saudi Arabian Oil Company, better known as Saudi Aramco, is one of the
largest public petroleum and natural gas companies in the world.

The oil giant employs over 66,000 employees and brings in almost $230
billion in annual revenue.

The threat actors are offering Saudi Aramco's data starting at a negotiable
price of $5 million.

Saudi Aramco has pinned this data incident on third-party contractors and
tells BleepingComputer that the incident had no impact on Aramco's
operations.

"Zero-day exploitation" used to breach network

This month, a threat actor group known as ZeroX is offering 1 TB of
proprietary data belonging to Saudi Aramco for sale.

ZeroX claims the data was stolen by hacking Aramco's "network and its
servers," sometime in 2020.

As such, the files in the dump are as recent as 2020, with some dating back
to 1993, according to the group.

When asked by BleepingComputer as to what method was used to gain access to
the systems, the group did not explicitly spell out the vulnerability but
instead called it "zero-day exploitation."

To create traction among prospective buyers, a small sample set of Aramco's
blueprints and proprietary documents with redacted PII were first posted on
a data breach marketplace forum in June this year:

However, at the time of initial posting, the .onion leak site had a
countdown timer set to 662 hours, or about 28 days, after which the sale
and negotiations would begin.

ZeroX told BleepingComputer that the choice of "662 hours," was intentional
and a "puzzle" for Saudi Aramco to solve, but the exact reason behind the
choice remains unclear:

The group says that the 1 TB dump includes documents pertaining to Saudi
Aramco's refineries located in multiple Saudi Arabian cities, including
Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, and Dhahran.

And, that some of this data includes:

   - Full information on 14,254 employees: name, photo, passport copy,
   email, phone number, residence permit (Iqama card) number, job title, ID
   numbers, family information, etc.
   - Project specification for systems related to/including
   electrical/power, architectural, engineering, civil, construction
   management, environmental, machinery, vessels, telecom, etc.
   - Internal analysis reports, agreements, letters, pricing sheets, etc.
   - Network layout mapping out the IP addresses, Scada points, Wi-Fi
   access points, IP cameras, and IoT devices.
   - Location map and precise coordinates.
   - List of Aramco's clients, along with invoices and contracts.

Samples of stolen Saudi Aramco data and blueprints shared on leak site

Samples released by ZeroX on the leak site have personally identifiable
information (PII) redacted, and a 1 GB sample alone costs US$2,000, paid as
Monero (XMR).

The threat actor, however, did share a few recent unredacted documents with
BleepingComputer for confirmation.

The price of the entire 1 TB dump is set at US$5 million, although the
threat actors say, the amount is negotiable.

A party requesting for an exclusive, one-off sale (i.e. obtain the complete
1 TB dump and demand it be wiped completely from ZeroX's end) is expected
to pay a whopping US$50 million.

ZeroX shared with BleepingComputer that up until this point, they have been
negotiating the sale with five buyers.

Not a ransomware or extortion incident

Contrary to some claims floating around on the internet [1, 2] labeling
this incident a "ransomware attack," it is not.

Both the threat actor and Saudi Aramco have confirmed to BleepingComputer
that this is not a ransomware incident.

Saudi Aramco told BleepingComputer that the data breach occurred at
third-party contractors, rather than direct exploitation of Aramco's
systems:

"Aramco recently became aware of the indirect release of a limited amount
of company data which was held by third party contractors."

"We confirm that the release of data has no impact on our operations, and
the company continues to maintain a robust cybersecurity posture," an
Aramco spokesperson told BleepingComputer.

The threat actors did try to contact Saudi Aramco to inform them of the
breach but did not hear back and did not attempt extortion after gaining
access to their networks, which further casts doubts on the purpose of the
timer shown above.

It seems the countdown timer was merely set up as a lure for prospective
buyers; to generate an initial buzz around the sale.

In 2012, a prominent data breach against Saudi Aramco's systems wiped over
30,000 computer hard drives clean.

The cyberwarfare incident conducted via the Shamoon virus was allegedly
linked to Iran.

In more recent times, attacks on mission-critical infrastructure like the
Colonial Pipeline and the largest U.S. propane provider, AmeriGas, have
prompted a need for stepping up cybersecurity efforts at these facilities.

Edit 10:53 AM ET: Clarified the threat actors did attempt to contact Aramco
to inform them of the breach but did not attempt extortion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210719/d0ac0307/attachment.html>

More information about the BreachExchange mailing list