Stolen Saudi Aramco Data Offered on the Dark Web

A 2020 cyberattack resulted in the theft of 1 terabyte of information from the oil giant.

Hacker group ZeroX is offering the sale of Saudi Aramco data for $5 million.

Data stolen in a cyberattack on Saudi Aramco is being offered for sale on the darknet. A group called ZeroX reportedly stole about 1 terabyte of data from a contractor working with the Saudi state oil company.

The attackers said that the data includes documents pertaining to Saudi Aramco’s refineries located in multiple Saudi Arabian cities, including Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, and Dhahran, as well as information on 14,254 employees, such as names, photos, email, and phone numbers along with additional, potentially sensitive business information. The group released samples of the stolen data on a darknet leak site.

Saudi Aramco, told The Associated Press that it “recently became aware of the indirect release of a limited amount of company data which was held by third-party contractors.”

The oil company did not identify which contractor was affected or whether it had been hacked or if the information was leaked another way.

“We confirm that the release of data was not due to a breach of our systems, has no impact on our operations, and the company continues to maintain a robust cybersecurity posture,” Aramco said.

A page on the darknet offered Aramco a chance to have the data deleted for $50 million in cryptocurrency, while another offered to sell the data to any interested party for $5 million. ZeroX told website BleepingComputer that, up until this point, it has been negotiating a sale with five buyers. The hackers said they stole the data, some of which dates to the early 1990s, sometime in 2020.

The attack on Saudi Aramco was not a ransomware event. According to BleepingComputer, the threat actors did try to contact Saudi Aramco to inform them of the breach but did not hear back and did not attempt extortion after gaining access to their networks.

This is not the first time cyberattackers have targeted Saudi Aramco. In 2012, the oil company was hit by the Shamoon virus, which deleted 30,000 hard drives. Iran was blamed for that attack. Five years later, a similar virus disrupted computers at Sadara, a joint venture between Aramco and Dow Chemical.

Just last month, Saudi Aramco selected eight service firms as exclusive suppliers for conducting third-party cybersecurity assessments and issuing compliance certificates. The oil giant introduced its Cybersecurity Compliance Certificate Program for its suppliers in 2020, designed to minimize third-party risk.