The latest roundtable discussion from Security on Screen analyses the Saudi Aramco ransomware attack that occurred this week, establishing yet another hit to national infrastructure – how can organisations avoid the risks associated with third parties and contractors?

Dhahran-based petroleum and natural gas company, Saudi Aramco has confirmed several of its company files were leaked this week after hackers reportedly demanded a $50 million ransom. The reports indicate that 1 terabyte of Saudi Arabian Oil Co. data had been held by an extortionist, citing a web page it had accessed on the darknet, to which the state-owned driller was offered the chance to have the data deleted for $50 million in cryptocurrency.

Oil & Gas sector: a hub for ransomware

This incident adds to the the global energy industry seeing a significant ramp up in cyber-attacks with Colonial Pipeline becoming the most visible of late. According to consultants, the oil and gas industry, which includes the companies that own wells, pipelines and refineries, has long been a laggard in security spending.

In 2012, Saudi Arabia blamed unidentified people based outside the kingdom for a hack against the oil giant that aimed to disrupt production from the world’s largest exporter of crude. The so-called ‘spear-phishing’ assault destroyed more than 30,000 computers within hours. A spokesman for the Interior Ministry declined at the time to identify any of the ‘several foreign countries’ from which the attack originated.

Energy companies from electric utilities, to power-grid operators to pipeline operators have warned that cyberattacks are becoming more and more prevalent. The largest US power grid operator, PJM Interconnection LLC, has warned regulators that it’s facing increasing attacks.

Mitch Mellard, Principal Threat Intelligence Analyst at Talion says: “The extortion technique Saudi Aramco is experiencing is currently on the rise and many organisations across the world are suffering these double-hit attacks. However, to pay or not to pay can be a difficult conundrum. When systems are taken down, services are halted and a businesses’ data or IP are at risk, some businesses feel they have no choice but to pay. Ransomware is now a threat to critical infrastructure and our national security.”

“While it is not known if Saudi Aramco has paid the demand, many organisations may find themselves in a similar position and will have to assess whether to lose important data or make the news as “breached” and risk ruining their reputation,” adds Nikos Mantas, Incident Response Expert, Obrela Security Industries.

“When data loss threatens operations or could put an organisation out of business entirely, sometimes taking the financial hit seems like the lesser of two evils. Cybercriminals are aware of this which is why these demands are so high just now, and a lot of the time they will amount in a pay-out. However, paying ransom demands is never something we recommend. 

“Ransom attacks are here to stay and as double-extortion incidents are becoming increasingly prominent, businesses need to prepare solid incident response strategies and plans, to minimise the impact of a breach. The cyber-security posture of a partner can play a significant role in avoiding a supply-chain compromise, so organisations should be implementing regular cybersecurity controls, via internal or external assessments, to minimise the risk of data exposure.”   

Beware the third party

“Aramco recently became aware of the indirect release of a limited amount of company data which was held by third-party contractors,” the Middle Eastern oil major said in an email. “We confirm that the release of data was not due to a breach of our systems, has no impact on our operations, and the company continues to maintain a robust cybersecurity posture.”

Accoridng to Demi Ben-Ari, CTO and Co-Founder of Panorays, a company cannot possibly maintain a robust cybersecurity posture if it shares data with insecure third parties. “If a third party is hacked,” he continues, “then the organisation that it is connected to can be hacked as well, and subject to lawsuits, hefty regulatory fines, loss of reputation, and more. This is why it’s absolutely crucial for all companies to thoroughly assess and continuously monitor the security of all of their third parties, vendors, suppliers, and business partners.”

Product Manager at comforte AG, Trevor Morgan agrees: “Because details are vague in terms of the attack methods used to gain this data, the immediate issue becomes less about the attack vector and technical methods by which Saudi Aramco or the third-party contractor could have defended against the incident, and more about how large enterprises vet, establish, and then manage cooperative relationships with third parties, what level of data access they grant to third parties, and what the culture of data privacy and security is that guides them. 

“This is an unfortunate example of the risks associated with third parties and contractors,” adds Erich Kron, Security Awareness Advocate at KnowBe4. “The contractor appears to have had access to a significant amount of data, with a terabyte having been stolen. This highlights how important Data Loss Prevention (DLP) controls are in organisations, as the undetected theft of this much data shows that there are significant shortcomings in the data protection controls.

“While the cyber criminals say they will delete the data if the organisation pays the extortion fee, there is no guarantee that the information will actually be destroyed. Due to their criminal nature, the more likely scenario will be that some of the data will still end up for sale on the dark web, leaving no recourse for the organisation. The contents of the stolen data will play a significant role in how much leverage the data thieves have over the organisation.”

Morgan concludes: “To truly learn from this incident, every organisation should ask the following questions. How much access do our third-party partners and contractors have to our most sensitive data, and is that access commensurate with their business needs? How do we ensure that they keep our most sensitive information secure? And most importantly, how seriously do we take establishing and nurturing a corporate culture that values data privacy and security throughout our organisation? Where these questions lead you is a wholly worthwhile endeavour.”