Saudi Arabian public petroleum and natural gas company Saudi Aramco became the latest victim of a hacking attack after a hacker group stole up to 1TB of data from third partycontractors. The group is now threatening to sell the stolen data on a dark web forum.
According to Bleeping Computer, a cyber criminal group calling themselves ZeroX accessed data belonging to Saudi Aramco after infiltrating the servers of the oil giant’s third-party contractors. Though it’s not clear how ZeroX accessed the third-party servers, they claim to have exploited a zero-day vulnerability to perpetrate the theft.
The theft reportedly took place sometime in 2020 but Saudi Aramco learned about the breach earlier this month. Even though the company did not mention the breach in its global website, it told Bleeping Computer that the hacker gained access to its data after breaching the systems of third-party contractors.
“Aramco recently became aware of the indirect release of a limited amount of company data which was held by third party contractors. We confirm that the release of data has no impact on our operations, and the company continues to maintain a robust cybersecurity posture,” the company said.
ZeroX, who has been upfront about stealing data belonging to Saudi Aramco, is now threatening to sell the stolen data on a dark web forum for £3.65 million. The stolen data includes personally identifiable information of as many as 14,254 employees, including their names, photos passports, emails, phone numbers, residence permit (Iqama card) numbers, job title, ID numbers family information, and more.
The data also includes project specifications, internal analysis reports, network layout map of IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices, location maps with precise coordinates, and a list of Saudi Aramco’s clients. As proof of their exploit, the hacker group has shared snippets of the stolen data on the dark web, some of which date back to 1993.
The group posted the samples on a .onion leak site and has inserted a timer of 662 hours (or 28 days), following which the stolen data will be sold to the highest bidder. This could be an attempt to coerce Saudi Aramco to negotiate and to purchase its proprietary data before it is sold to a third party.
Commenting on the successful theft of Saudi Aramco’s data by a relatively unknown hacker group, Ilia Kolochenko, the CEO of ImmuniWeb, says that given that some of the compromised data allegedly comes from 1993, it is now impossible that the data comes from several breached suppliers as well as from Aramco networks directly.
“Oftentimes, suppliers have privileged and virtually uncontrolled access to corporate resources on-premises and in the cloud, both of which are low-hanging fruit for shrewd cybercriminals. Many modern cyber gangs focus solely on hacking technology vendors to pivot to their customers in a simple, inexpensive and effortless manner.
“Today, the Middle East is a booming market for cybersecurity, however, companies shpuld pay more attention to supply chain security, otherwise, they may repeat the unenviable scenario of the Colonial Pipeline attack,” he adds.