close
close

Halliburton says hackers stole data

Posted on by angelo
Halliburton says hackers stole data

Critical infrastructure security, fraud management and cybercrime, ransomware

The company says it is “still evaluating the nature and scope of the information”

David Perera (@daveperera) •
September 3, 2024

Halliburton says hackers stole data
Halliburton said hackers stole data in a cyber incident in August. (Image: Shutterstock)

Oilfield services giant Halliburton told U.S. federal regulators on Tuesday that hackers stole data after the company acknowledged “unauthorized activity” on its networks in late August.

See also: NHS ransomware attack: Health sector infrastructure is critical

The Texas multinational said it detected a hack on August 21, which led it to “proactively take certain systems offline to protect them and alert law enforcement” (see: Oilfield Services Giant Halliburton Hit by Cyber ​​Attack).

The company now says the hackers “accessed and exfiltrated information” — but that it is “still assessing the nature and scope of that information.” The company’s stock fell nearly 4% Tuesday afternoon, in trading that was marked by a sharp decline earlier in the day when Halliburton disclosed the data breach.

Bleeping Computer reported that the likely attacker was the ransomware-as-a-service group RansomHub after identifying indicators of compromise, including an apparent encryptor, a file named maintenance.exeto the extortion group. RansomHub did not immediately respond to a request for comment.

Halliburton, which had revenue of $23 billion last year and employs nearly 50,000 people, is an upstream oilfield services company that does not own or operate any oil fields or pipelines. The company provides services ranging from exploration and drilling to pipeline services and software. The incident “resulted in disruptions and limited access to portions of the company’s business applications that support certain aspects of the company’s operations and functions,” Halliburton said.

A notice released Thursday by the federal government says the nascent RansomHub operation — which began in February — has become an “effective and successful” practitioner of the ransomware-as-a-service model. In just seven months of operation, it has victimized at least 210 people, the government estimates.

Formerly known as Cyclops and Knight, or at least using malware based on those groups’ code, the group has benefited from the affiliation of hackers seeking a new virtual home following the law enforcement disruptions at LockBit and the apparent emergence of BlackCat/Alphv from the criminal underground (see: RansomHub is the result of attacks by former affiliates of LockBit and BlackCat).

Rumors that RansomHub is a rebranding of BlackCat are likely false, said Jon DiMaggio, a ransomware analyst and chief security strategist at Analyst1. BlackCat code does appear in the apparent payload used to attack Halliburton, he said, but that’s likely just evidence that a former BlackCat affiliate or developer brought code with them rather than evidence of a rebranding. “There’s no evidence to support a rebranding. There’s evidence to support an overlap.”