In a recent CPO Magazine article, the magazine’s Senior Correspondent Scott Ikeda reported a serious data breach suffered by the massive oil company Saudi Aramco. This also means a return to the news for third-party-based ‘vendor’ security.
According to Ikeda, the stolen data consists of proprietary company information as well as employee profiles all amounting to approximately 1 TB of data. The breach occurred due to a lapse on the part of an unnamed contractor who had been providing Saudi Aramco with third-party security.
The security breach itself was fairly unique in nature. Despite reminding people and businesses of the inherent flaws that come with relying on third parties to provide cybersecurity, this particular data breach cannot entirely be blamed on a vendor’s poor “cybersecurity hygiene.”
In this particular case, it appears that the attackers used some manner of zero-day exploit (according to Wikipedia “a computer software vulnerability unknown to those who should be interested in its mitigation”).
In addition, while the attackers are still persisting in trying to extort the company before sharing the stolen data they have yet to implement a ransomware attack of any kind. There also appears to be a time-limited puzzle that the oil giant must solve in order to complete the payment.
At the heart of the data breach is a sizable amount of confidential and proprietary company information. The hackers proved they had obtained this data by posting a limited sample on the dark web. The information specifically consisted of, location maps including accurate and detailed coordinates, blueprints, network layouts, analysis reports, and other private internal documents, as well as project specifications.
The security breach further exposed many of the oil company’s clients through a list of billing information and invoices. The stolen data appears to go back as far as 1993.
Though the sample shared by the hackers redacted personal information the data on sale still includes the profiles of over 14,000 Saudi Aramco employees. The profiles are highly detailed and consist of photographs, full names, family information, passport scans, residence permit numbers, employee ID numbers, emails, and job titles.
The hackers have identified themselves as ZeroX. Prior to this recent attack, they have no known history of committing cyberattacks of this scale. ZeroX is offering the stolen collected data to buyers on the dark web at $5 million per buyer should Saudi Aramco fail to pay the $50 million ransom before a 28-day timer runs out. During these 28 days, the oil company is free to negotiate but almost must solve a puzzle of some kind.
