Attackers have stolen over a terabyte of data from Saudi Aramco (aka Saudi Arabian Oil Company), which they are selling on the darknet.
Saudi Aramco is one of the largest public petroleum and gas companies in the world, with almost $230 billion in annual revenue.
Saudi Aramco has blamed the data breach that occurred last year on third-party contractors and says the attack had no impact on its operations.
ZeroX, a threat actor group, is offering up to 1 TB of data belonging to Saudi Arabia’s Aramco for sale. The group claims that the data it obtained was stolen from the servers of Saudi Aramco in 2020.
A small 1Gb sample set of blueprints and proprietary documents for Saudi Aramco were posted online in June this year. Samples contain personally identifiable information, which was redacted from the leak site. The cost of the samples alone was US$2,000.
While, the hackers’ .onion leak site has a countdown timer that indicates that negotiations would begin after 662 hours (about 28 days).
The group says that the documents include details about the company’s various refineries located in various Saudi Arabian cities.
Hackers claim some stolen data includes: Full information on 14,254 employees (name, photo, passport copy, email, phone number, residence permit (Iqama card) number, job title, ID numbers, family information, etc.); project specification for systems (electrical/power, architectural, engineering, civil, construction management, environmental, machinery, vessels, telecom, etc.); internal analysis reports, agreements, letters, pricing sheets, etc.; network layout with IP addresses; Scada points; Wi-Fi access points; IP cameras; and IoT devices; location map and precise coordinates; list of Aramco’s clients; and invoices and contracts.
The price of the entire 1 TB is US$5 million, although the amount is negotiable. And a one-off sale plus a demand to wipe the data completely from ZeroX’s servers is a whopping US$50 million.
ZeroX claims they have been negotiating the sale with five buyers so far.
Hackers also made it clear that this incident is not a ransomware attack, as both the threat actor and Saudi Aramco have confirmed to BleepingComputer.
“Aramco recently became aware of the indirect release of a limited amount of company data which was held by third party contractors. We confirm that the release of data has no impact on our operations, and the company continues to maintain a robust cybersecurity posture,” an Aramco spokesperson told BleepingComputer.