-
The hack is believed to have taken place sometime in 2020, and involved Aramco’s employees and third-party contractors
-
The 1 TB of data includes not just employee details but Aramco’s proprietary information and even lists of its clients and their invoices and contracts
Hackers have stolen around 1 terabyte — 1,024 gigabytes — of data from Saudi Aramco and have put it on sale in the dark web for $5 million, said reports on Wednesday.
The data breach is believed to have taken place sometime in 2020, and involved its employees and third-party contractors.
The individual or entity behind the hack was identified by the reports as one ZeroX. The data this threat actor got dates from 1993 to 2020.
The reports said this threat actor used a zero-day vulnerability in the security systems of Saudi Arabian Oil Company, aka Saudi Aramco, to steal the data.
(A zero-day vulnerability is a hole in a cybersecurity system that is so critical that the number of days that should pass before it is patched is zero.)
The data apparently includes details of Aramco employees, like their full names, photos, passport details, emails, job titles, phone numbers, certificates, Aramco ID numbers, family information, and residence permit numbers.
The data also includes Aramco’s proprietary information and internal company details, like project specification for systems, internal analysis reports, agreements, letters, and pricing sheets.
It is also said to include network layouts mapping out IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices, location maps and precise coordinates, and even a list of Aramco’s clients, along with invoices and contracts.
The hacker reportedly put up one such bit of data, a redacted blueprint, on a dark-web portal to entice buyers.
There is also a counter on this portal that apparently signals that negotiations with buyers will begin in about four weeks.
The price that the hacker has set for the data is $5 million, but he was quoted by one news report as saying that this was negotiable.
However, for a one-off buy, where ZeroX does not sell the data to anyone else but a single buyer and wipes it from the web, is said to cost $50 million.