Threat actor claims to have stolen 1 TB of data belonging to Saudi Aramco

A hacker claims to have stolen 1 TB of sensitive data from the Saudi Arabian petroleum and natural gas giant, Saudi Aramco.

Threat actors that goes online with the moniker ZeroX  claim to have stolen 1 TB of sensitive data from the Saudi Arabian petroleum and natural gas giant end it is offering for sale it on multiple hacking forums.

The oil giant employs has over $200 billion in annual revenue, and the threat actors are offering the stolen data at an initial price of $5 million.

Bleeping Computer reached the company who confirmed a data breach on third-party contractors, but pointed out that the incident had no impact on Aramco’s operations. Saudi Aramco also told BleepingComputer that this is not a ransomware security breach.

“Aramco recently became aware of the indirect release of a limited amount of company data which was held by third party contractors.” Aramco spokesperson told Bleeping Computer. “We confirm that the release of data has no impact on our operations, and the company continues to maintain a robust cybersecurity posture.”

ZeroX claims to have exploited a zero-day flaw to steal the data from the infrastructure of Saudi Aramco back in 2020.

The seller published multiple ads in multiple hacking forums and also offered access to a sample of the stolen info, including blueprints and PII.

Below the list of info stolen by the threat actor and available for sale:

    – Project Specification:[ Electrical, Power System, Architectural, Chief Engineering, Civil, Construction Mgnt, Environmental, Instrument & Control, Interface Mgnt, Machinery – Rotating, Mechanical – Vessels, Piping, Project Engineering, Safety Engineering, Telecommunications ]
    – Analysis Reports
    – Project Design basis
    – Unit Prices
    – Agreements
    – Network Documents:[ Internet Protocol, Scada Points, IP Camera, Wireless Access Point ]
    – File Systems
    – Saudi Bahrain Crude oil Pipeline
    – Letters
    – Location Map and Precise Coordinates
    – Information Regarding Most Of The Employees
    – Aramco’s Clients
    – Invoices
    – Contracts
    – full info about14254 employees: [ Name, photo, passport, email, phone number, Iqama number, Job title, family info, ID number, certificates, Aramco ID, and more ..]

The threat actor also setup a leak site on the Tor network reporting a countdown of about 28 days before the beginning of the public negotiations.

ZeroX is also offering a 1 GB sample for US$2,000 that could be paid in Monero (XMR) virtual currency.

This isn’t the first attack suffered by the Oil giant, in 2012 Saudi Aramco suffered a major cyber attack, alleged nation-state actors used the Shamoon wiper to destroy over 30,000 computers of the company.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Saudi Aramco)

[adrotate banner=”5″]

[adrotate banner=”13″]