Saudi Aramco, the state oil company of Saudi Arabia, has been targeted in a ransomware attack, with a $50 million ransom payment demanded.

Officially, the attack is being described by the company today as an indirect release of a limited amount of company data held by third-party contractors. Saudi Aramco noted that there was no breach of its systems and said the attack had no impact on its operations.

A group called ZeroX is taking credit for the attack. ZeroX claims on a dark web page that it holds 1 terabyte of data from the company and is threatening to release the stolen data if the ransom is not paid.

ZeroX said the attack involved hacking Aramco’s “network and its servers” in 2020 and told Bleeping Computer that the attack vector involved “zero-day exploitation,” meaning one that had not been discovered before.

A listing for the stolen data was posted to the infamous hacking forum Raid Forums on June 23. The data allegedly includes project specifications, analysis reports, project design basis, unit prices, agreement, network documents, file systems, letters, client information, contracts and full information on 14,254 employees.

This is not the first time hackers have targeted Saudi Aramco. The company was forced to shut down its entire network in August 2012 following a malware attack.

“While keeping in mind that most of the details about this breach are unconfirmed, with only its mere existence confirmed, the list of data points in the trove provided by the threat actor is worrying,” Dirk Schrader, global vice president of marketing at IT security and compliance software firm New Net Technologies LLC, told SiliconANGLE. “Specifications related to engineering projects and Scada points are of interest to those who are keen on attacking the operational technology side of Aramco’s infrastructure and there are quite a few names of threat actor groups either in the region or with a known history of attacks against OT that are most likely interested in this kind of data.”

Information about employees, with full details of about one-fourth of all of Aramco’s workforce, is a collection likely to be attractive to cybercriminals, he added. They may use spear-phishing or business email compromise tactics, he said.

Photo: David Stanley/Flickr