Critical Infrastructure Security , Fraud Management & Cybercrime , Ransomware
Halliburton Says Hackers Stole Data
Firm Says It Is Still 'Evaluating the Nature and Scope of the Information'Oil service giant Halliburton told U.S. federal regulators Tuesday that hackers stole data after the firm acknowledged "unauthorized activity" on its networks in late August.
See Also: Supply Chain Targeting: Trends and Predictions
The Texas multinational reported that it detected hacking on Aug. 21, which led to it "proactively taking certain systems offline to help protect them and notifying law enforcement" (see: Oil Services Giant Halliburton Disrupted by Hack Attack).
The firm now says that hackers "accessed and exfiltrated information" - but that it is still "evaluating the nature and scope of the information." Company stock price was down nearly 4% deep into Tuesday afternoon in trading marked by a sharp drop at the start of day, when Halliburton disclosed the data breach.
Bleeping Computer reported the likely attacker as ransomware-as-a-service group RansomHub after matching indicators of compromise including apparent encryptor, a file named maintenance.exe
, to the extortion group. RansomHub did not immediately respond to a request for comment.
Halliburton, which earned $23 billion in revenue last year and employs close to 50,000, is an upstream oil service firm and doesn't own or run any oil fields or pipelines. The company provides services ranging from exploration and drilling to pipeline services and software. The incident "caused disruptions and limitation of access to portions of the company's business applications supporting aspects of the company's operations and corporate functions," Halliburton disclosed.
A Thursday advisory from the federal government says the nascent RansomHub operation - it debuted in February - has become "an efficient and successful" practitioner of the ransomware-as-a-service model. In just seven months of activity, it's racked up at least 210 victims, the government estimates.
Formerly known as Cyclops and Knight, or at least using malware based on those groups' code, the group has benefited from affiliate hackers seeking a new virtual home in the wake of law enforcement disruptions to LockBit and to BlackCat/Alphv's apparent exit from the criminal underground (see: RansomHub Hits Powered by Ex-Affiliates of LockBit, BlackCat).
Rumors that RansomHub is a BlackCat rebrand are likely untrue, said ransomware analyst Jon DiMaggio, chief security strategist at Analyst1. BlackCat code does appear in the apparent payload used to attack Halliburton, he said, but it's likely just evidence that a former BlackCat affiliate or developer brought code with them than it is proof of a rebrand. "There's not evidence to support a rebrand. There is evidence to support that there's overlap."