Vendor security continues to be in the news, this time courtesy of a data breach at oil giant Saudi Aramco. The stolen data, apparently 1 TB containing proprietary company information and full employee profiles, was filched due to a third party security lapse at an unnamed contractor.
The incident has a number of unique qualities. Though it serves as yet another reminder of the glaring third party security gaps that can exist in connected vendor systems, this one may not be entirely due to poor cybersecurity hygiene as it appears that some sort of zero-day was used. And though the attackers are attempting to extort the company prior to putting the data up for sale, they did not opt to deploy a ransomware attack. The hackers have also apparently given Saudi Aramco some sort of time-limited “puzzle” to solve as part of its payment process.
Data breach of oil giant compromises project specifications, client lists
The centerpiece of the data breach is a collection of confidential and proprietary company information, as evidenced by a small sample the hackers posted on the dark web: blueprints, private internal documents such as analysis reports, project specifications, network layouts and location maps with exact coordinates. The third party security breach also appeared to expose a list of the oil giant’s clients complete with invoices and billing information. The data appears to extend back a long time, with the oldest files in the collection dated 1993.
The hackers redacted personal information from the sample, but the data for sale appears to include detailed profiles of 14,254 employees of the company (which has over 66,000 working for it in total). This includes full names, photographs, passport scans, emails, phone numbers, residence permit (Iqama card) numbers, job titles, employee ID numbers, family information, and more.
The data breach sample was listed on an underground forum for a price of $2,000 in Monero, with the hackers setting the opening price for the trove at $5 million. However, they have offered Saudi Aramco a limited opportunity to pay $50 million to recover the data with a promise to wipe it out and not sell it to other parties. Strangely, the hackers seem to have created some sort of puzzle for the oil company to solve as well. As of the first post, the hackers gave Saudi Aramco 662 hours (28 days) to negotiate its terms before the data is made available to any takers at $5 million a pop.
The threat group calls itself ZeroX, an entity not known for any prior major activities of this type. Reporters with BleepingComputer were able to contact the group, which would not name the exact vulnerability it used to create the third party security opening but did say that it was a zero-day of some sort. Saudi Aramco also did not elaborate on the exact nature of the compromise, but did say that it had no impact on its day to day operations.
Third party security in the spotlight once again
With annual revenues of about $230 billion, there is at least a fair chance that Saudi Aramco simply pays the $50 million and hopes that ZeroX keeps its word about removing the stolen data from the market. Though ransomware was not used in this particular case, this has been the logic of target selection of ransomware gangs as of late; rather than casting a broad net, they focus on companies that can afford to pay the demand and do not have much tolerance for downtime. Third party security is often the easiest path in, with smaller contractors having less in the way of budget for proper defenses.
Though Saudi Aramco says that its normal operations were not negatively affected by the data breach, a third party security vulnerability is something they have little control over beyond terminating their arrangement with the vendor and finding a new one.
According to Ilia Kolochenko, Founder/CEO and Chief Architect of ImmuniWeb, this highlights the need for comprehensive programs that can manage the third party security risk created by dealing with potentially hundreds to thousands of contractors: “Aramco’s statement saying that the data comes from a third-party contractor highlights the importance and urgency to implement a holistic Third-Party Risk Management (TPRM) program to prevent supply chain attacks. Furthermore, a growing number of legislation including the UK and EU GDPR, state and federal laws in the US and emerging privacy laws in Brazil or South Africa now make companies liable for their breached suppliers. Given that some of the compromised data allegedly comes from 1993, it is not impossible that the data comes from several breached suppliers as well as from Aramco networks directly. Oftentimes, suppliers have privileged and virtually uncontrolled access to corporate resources on-premises and in the cloud, both of which are low-hanging fruit for shrewd cybercriminals. Many modern cyber gangs focus solely on hacking technology vendors to pivot to their customers in a simple, inexpensive and effortless manner.”
Though it was not a direct data breach, the company may now also be looking at a major internal security overhaul as the data breach contained a map of its entire network including IP addresses, SCADA points, Wi-Fi access points, IP cameras, and IoT devices. And the client invoices included in the data set would most likely lead to a wave of attempted fraud looking to exploit the company’s billing systems. This may also push it to pay the $50 million demand and hope for the best, though Dirk Schrader (Global VP of Marketing, NNT) points out that the company should not be complacent even if the sale listing is removed from the dark web: “Specifications related to engineering projects and Scada points are of interest to those who are keen on attacking the OT side of Aramco’s infrastructure and there are quite a few names of threat actor groups either in the region or with a known history of attacks against OT that are most likely interested in this kind of data. Information about employees, with full details of about one fourth of all of Aramco’s workforce, is a collection that can’t be ignored by cyber criminals using spear phishing tactics or attempting some type of business email compromise, which in itself is supported by additional pieces of information in the trove like invoices and contracts. Overall, the potential risk related to this data breach cannot be ignored by Saudi Aramco.”
ZeroX claims that it has been in contact with at least five potential buyers since announcing the data breach. These could include state-backed threat actors; Iran is not out of the question given that it has been linked to a prior attack on Saudi Aramco in 2012, using the Shamoon virus to wipe out the data on tens of thousands of company computers. State-backed Iranian teams have also been spotted lurking in the region and targeting various Saudi companies since 2017, which could very well include some of Saudi Aramco’s many contractors.