Saudi Aramco, the world largest producer of petroleum and natural gas products, faces a $50 million ransom demand that does not involve ransomware. The company reportedly told the Associated Press that the stolen data “was held by third-party contractors,” and that its systems had not been breached.
Nevertheless, it appears that someone from the unidentified contractor firm stole 1 TB of data dating back to 1993, including company information, customer invoices and more than 14,000 of 66,000 employee profiles, complete with personally identifiable information (PII) such as passport scans.
The contracting firm in question had been working with Aramco for an undisclosed period before the theft occurred.
Saudi Aramco acknowledged the incident on Wednesday, July 21, 2021. The stolen data is now in the hands of ZeroX, a group which claimed to have released a zero-day threat. Both ZeroX and Saudi Aramco stated there was no ransomware involved.
Now, ZeroX is threatening to sell the information for a starting price of $5 million on the Dark Web. If Aramco wants to avoid that fate, the company must solve a puzzle which involves the 662 hours the company has been given to pay the $50 million ransom.
ZeroX told Bleeping Computer that the data was stolen by hacking Aramco’s networks and servers in 2020. Saudi Aramco downplayed the incident, which isn’t surprising since the company likely does not have all the facts in order yet.
Saudi Aramco’s data is particularly concerning because in addition to the employee data, reports, products specs, invoices and other sensitive company information that was stolen, including a customer list, also for sale is a map of the network including IoT addresses, SCADA points, IP cameras, Wi-Fi access points and IP addresses plus their precise GPS coordinates.
Companies are rediscovering that their physical security and cyber security are only as strong as the weakest link which may be a third-party contractor. While rigorous due diligence helps reduce the potential for third-party risks, as is common, it’s the human element that tends to fail. In this case, it appears a contractor was seduced by the promise of a lucrative pay day.
Ironically, about a month ago, Saudi Aramco announced that eight professional services firms had passed its Cybersecurity Compliance Certificate, which is intended to reduce third-party risks.
- Have a rigorous due diligence process for vetting third parties including contractors, service providers, and vendors.
- Always have legal review contracts to ensure there are proper legal controls and contract breach remedies in place.
- Make sure your own company’s cyber security standards are where they should be, including the enforcement of those standards.
- Make sure third parties’ security policies align with your company’s. If they don’t, negotiate or find another potential partner.
- Realize there are no silver bullets in terms of tools and other controls, including certification programs.
- Run Monte Carlo analyses that reflect the current trends occurring in the threat landscape and plan for incident response accordingly.