Saudi Aramco confirms data leak after $50m cyber ransom demand

Saudi Aramco, the worldโ€™s largest oil producer, confirmed on Wednesday that some of its company files had been leaked via a contractor, after a cyber extortionist claimed to have seized troves of its data last month and demanded a $50m ransom from the company.

Aramco said in a statement that it had โ€œrecently become aware of the indirect release of a limited amount of company data which was held by third-party contractorsโ€. The oil company did not name the supplier or explain how the data were compromised.

โ€œWe confirm that the release of data was not due to a breach of our systems, has no impact on our operations, and the company continues to maintain a robust cyber security posture,โ€ Aramco added.

The statement came after a hacker claimed on the dark web that they had stolen 1 terabyte of Aramcoโ€™s data, according to a post from June 23 seen by the Financial Times. The hacker said it had obtained information on the location of oil refineries, as well as payroll files and confidential client and employee data.

In another post, the perpetrator offered to delete the data if Aramco paid up $50m in a niche cryptocurrency Monero, which is particularly difficult for authorities to trace. The post also offered prospective buyers the chance to purchase the data for about $5m.

The oil giant has the capacity to pump more than one in every 10 barrels of crude in the global market and any threats to its security or facilities are closely watched by oil traders and policymakers.

The security vulnerabilities of energy companies and pipelines in particular have fallen under the spotlight recently after the hack of the Colonial Pipeline in the US earlier this year resulted in fuel shortages across the east coast of the country.

It was unclear who was behind the Aramco incident. Cyber researchers noted that the attack did not appear to be part of a ransomware campaign, where hackers use malware to seize a usersโ€™ data or computer systems and only release it once a ransom has been paid. Nor did the hacker claim to be part of a known ransomware gang.

Instead, the hacker appeared to have seized a copy of the data without using malware, and set up dark web profiles to telegraph its activities.

Saudi Aramcoโ€™s facilities have been targeted in the past by both physical and cyber attacks.

In 2019 the Abqaiq processing facility in the eastern part of the country, which prepares the majority of the kingdomโ€™s crude for export, was hit by a series of missile and drone strikes that the US blamed on Iran. Global oil prices soared until Saudi Arabia was able to reassure markets it could still export enough oil to keep customers well supplied.

In 2012 an alleged cyber attack on Saudi Aramco was also blamed on Iran. Cyber security experts have said this was probably a retaliation for the Stuxnet attack on Iranโ€™s nuclear programme, which has been widely attributed to the US and Israel.

The 2012 attack erased data on about three-quarters of Aramcoโ€™s computers, according to reports at the time, including files, spreadsheets and emails. They were replaced with an image of a burning US flag.

Saudi Aramco refineries, including the newly opened Jazan facility, which was listed in screenshots of the allegedly leaked data, have also been subject to physical attacks both from drones and missile strikes, which have been claimed by Iran-backed Houthi rebels in Yemen. The Jazan refinery is in Saudi Arabiaโ€™s south-west on the Red Sea, not far from the Yemen border.

The extortion attempt was first reported by the Associated Press.

Twice weekly newsletter

Energy is the worldโ€™s indispensable business and Energy Source is its newsletter. Every Tuesday and Thursday, direct to your inbox, Energy Source brings you essential news, forward-thinking analysis and insider intelligence.ย Sign up here.