Search This Blog

Showing posts with label Oil and gas. Show all posts

USD 50 Million Ransom Demanded from Saudi Aramco Over Leaked Data

 

Saudi Arabia's state oil firm admitted on Wednesday that data from the corporation was leaked and that the files are now being used in a cyber-extortion effort including a USD 50 million ransom demand. The data was presumably leaked by one of the company's contractors. Saudi Aramco, the Saudi Arabian Oil Co., notified The Associated Press that it "recently became aware of the indirect release of a limited amount of company data which was held by third-party contractors."

Saudi Aramco is a public Saudi Arabian oil and gas enterprise headquartered in Dhahran. It is expected to be one of the world's most profitable corporations as of 2020. Saudi Aramco has the world's second-biggest proven crude oil reserves, with about 270 billion barrels (43 billion cubic metres), as well as the world's greatest daily oil production. 

The Master Gas System, operated by Saudi Aramco, is the world's biggest single hydrocarbon network. It handles about one hundred oil and gas fields in Saudi Arabia, including 288.4 trillion standard cubic feet (scf) of natural gas reserves, and its crude oil production totaled 3.4 billion barrels (540 million cubic metres) in 2013. The Ghawar Field, the world's largest onshore oil field, and the Safaniya Field, the world's largest offshore oil field, are both operated by Saudi Aramco. 

The oil company did not specify which contractor was affected, nor did it clarify whether the contractor was hacked or if the information was released in some other way. "We confirm that the release of data was not due to a breach of our systems, has no impact on our operations and the company continues to maintain a robust cybersecurity posture," Aramco said. 

The AP found a page on the darknet, a section of the internet kept behind an encrypted network and accessible only through specific anonymity-providing tools, that claimed the extortionist had 1 terabyte of Aramco data. The page offered Aramco the chance to have the data destroyed for USD 50 million in cryptocurrency, with a countdown counting down from USD 5 million, most likely to put pressure on the corporation. It's still unknown who's behind the ransom plot. 

Aramco has previously been the victim of cyber-attacks. The so-called Shamoon computer virus, which destroyed hard drives and then flashed a picture of a burning American flag on computer displays, affected the oil behemoth in 2012. Aramco was compelled to shut down its network and destroy over 30,000 machines as a result of the attack. Later, US officials blamed the strike on Iran, whose nuclear enrichment programme had just been targeted by the Stuxnet virus, which was most likely created by the US and Israel.

Oil & Gas Targeted in Year-Long Cyber-Espionage Campaign

 

A sophisticated campaign aimed at big multinational oil and gas firms has been running for more than a year, spreading common remote access trojans (RATs) for cyber-espionage objectives, as per researchers. 

According to Intezer analysis, spear-phishing emails with malicious links are used to deploy RATs such as Agent Tesla, AZORult, Formbook, Loki, and Snake Keylogger on infected computers all with the goal of stealing confidential data, banking information, and browser information, as well as logging keyboard strokes. 

While energy corporations are the primary targets, the campaign has also targeted a few companies in the IT, industrial, and media industries, as per researchers. Its targets are primarily based in South Korea, but include companies from the United States, United Arab Emirates, and Germany, too. 

The report states, “The attack also targets oil and gas suppliers, possibly indicating that this is only the first stage in a wider campaign. In the event of a successful breach, the attacker could use the compromised email account of the recipient to send spear-phishing emails to companies that work with the supplier, thus using the established reputation of the supplier to go after more targeted entities.” 

According to Intezer, “The company is FEBC, a religious Korean Christian radio broadcaster that reaches other countries outside of South Korea, many of these countries which downplay or ban religion. One of FEBC’s goals is to subvert the religion ban in North Korea.” 

Modus Operandi of the Attack:

According to analysts, the attackers launch the attack by sending emails customized to the staff at each of the companies targeted. The email addresses of the recipients range from basic (info@target company[.]com, sales@target company[.]com) to particular persons inside organizations, implying various levels of reconnaissance. 

The email addresses used in the "From" box are typo squatted or forged to provide the impression of authenticity. They are designed to seem like emails from real organizations that the targets are familiar with. Typosquatting fools email recipients into believing that an email has been sent from a trusted entity. 

“The contents and sender of the emails are made to look like they are being sent from another company in the relevant industry offering a business partnership or opportunity,” according to Intezer. 

Other attempts to appear official include making references to executives and utilizing the physical addresses, logos, and emails of genuine organizations in the text of the emails. As per the posting, these also contain requests for quotes (RFQ), contracts, and referrals/tenders for genuine projects linked to the targeted company's business. 

The file name and icon of the attachment in the majority of these emails seem like a PDF. Intezar experts stated the goal is to make the file appear less suspicious, entice the targeted user to open and read it. An information stealer is executed when the victim opens the attachment and clicks on the files it contains. 

Intezer also highlighted that the malware's execution is fileless, meaning it is loaded into memory without generating a file on disc, in order to avoid detection by standard antivirus. 

A Social-Engineering Bonanza: 

According to experts, while the technological parts of the operation are pretty standard, cyber attackers excel when it comes to social engineering and completing their study on their targets. 

One email, for example, claimed to be from Hyundai Engineering and mentioned an actual combined cycle power plant project in Panama. The email instructs the recipient to submit a bid for the project's equipment supply and includes more data and requirements "in the attached file" (containing the malware). In addition, the communication specifies a firm deadline for proposal submissions. 

Another email examined by Intezer researchers was sent to an employee of GS E&C, a Korean contractor involved in a number of worldwide power plant projects. The email requested both technical and commercial proposals for the goods listed in the attached, which was ostensibly a material take-off (MTO) document. 

Researchers stated, “The content of the emails demonstrates that the threat actor is well-versed in business-to-business (B2B) correspondence. This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments.”