Saudi Aramco Targeted In $50M Crypto Extortion Scheme After Major Data Breach

Saudi Aramco is pointing the finger at a third-party contractor for a breached data incident which has resulted in demands for $50 million in ransom from an unknown mysterious entity in what's looking like a Colonial Pipeline style cyber drama. The Saudi oil giant acknowledged to The Associated Press that it "recently became aware of the indirect release of a limited amount of company data which was held by third-party contractors." 

"We confirm that the release of data was not due to a breach of our systems, has no impact on our operations and the company continues to maintain a robust cybersecurity posture," Aramco said, without specifying the contractor through which the breach happened. The language of "indirect release" reveals it was likely a leak and not the result of an external hacking operation.

It's also unclear just what type of data or possibly "compromising" content the hackers are in possession of - only that they deem it valuable enough to attempt the blackmail scheme, now subject of multiple international reports. It appears they are seeking payment in the cryptocurrency Monero (XMR).

The AP describes that "A page accessed by the AP on the darknet — a part of the internet hosted within an encrypted network and accessible only through specialized anonymity-providing tools — claimed the extortionist held 1 terabyte worth of Aramco data. A terabyte is 1,000 gigabytes."

"The page offered Aramco a chance to have the data deleted for $50 million in cryptocurrency, while another timer counted down from $5 million, likely in an effort to pressure the company. It remains unclear who is behind the ransom plot," the report continues.

Among the world's biggest companies, Saudi Aramco has over 66,000 employees and sees about $230 billion in annual revenue, and is valued at $2 trillion. Like the Colonial Pipeline saga in the US, the company is no doubt mulling as 'an option' the possibility of paying the ransom to make its problems quickly go away.

According to the prominent cybersecurity publication Bleeping Computer, it appears those in possession of the terabyte of Aramco data do have highly sensitive information. "The group says that the 1 TB dump includes documents pertaining to Saudi Aramco's refineries located in multiple Saudi Arabian cities, including Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, and Dhahran," the publication writes.

Saudi Arabia’s state oil giant acknowledged Wednesday that leaked data from the company – files now apparently being used in a cyber-extortion attempt involving a $50 million ransom demand – likely came from one of its contractorshttps://t.co/Tz75iQ4N0l

— The New Arab (@The_NewArab) July 21, 2021

Bleeping Computer further details that some of this data includes:

1. Full information on 14,254 employees: name, photo, passport copy, email, phone number, residence permit (Iqama card) number, job title, ID numbers, family information, etc.
2. Project specification for systems related to/including electrical/power, architectural, engineering, civil, construction management, environmental, machinery, vessels, telecom, etc.
3. Internal analysis reports, agreements, letters, pricing sheets, etc.
4. Network layout mapping out the IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices.
5. Location map and precise coordinates.
6. List of Aramco's clients, along with invoices and contracts.

The group is threatening to sell or dump the Aramco proprietary data online if the company doesn't act fast to pay the ransom, even reportedly setting up a 'countdown' clock.