Saudi Aramco data breach: Hackers stole 1 TB worth of data

Saudi Aramco suffers a massive data breach. Hackers stole 1 TB of confidential data belonging to Saudi Aramco, the Saudi Arabian Oil Company, and sold it on the dark web.


Saudi Aramco is one of the world’s largest publicly traded oil and gas enterprises.


The oil giant employs approximately 66,000 people and generates $230 billion in annual revenue.




Saudi Aramco’s data is available for a negotiated fee of $5 million, according to the hackers.


Saudi Aramco accused the data breach on third-party contractors, claiming that the event had no impact on the company’s operations.


ZeroX, an attack group, claims the data was stolen sometime in 2020 by hacking Aramco’s “network and servers.”


According to the group, the files in the dump date as far back as 2020, with some dating as far back as 1993.


The gang labelled it “zero-day exploitation” while not specifying how they acquired access to the systems.


A tiny sample set of Aramco’s blueprints and proprietary papers with redacted PII were originally released on a data breach marketplace forum in June this year in order to attract some prospective buyers.



Forum post with a link to the dark web leak site
Source: BleepingComputer (Forum post with a link to the dark web leak site)



The 1 TB dump, according to the hackers, contains documents related to Saudi Aramco refineries in cities across Saudi Arabia, including Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, and Dhahran.


The .onion leak site featured a countdown timer set to 662 hours, or about 28 days, at the time of initial publishing, after which the sale and talks would begin.


Threat actors announced data would be up for sale after 662 hours
Source: BleepingComputer (Threat actors announced data would be up for sale after 662 hours)



The choice of “662 hours” was deliberate, ZeroX told BleepingComputer, and a “puzzle” for Saudi Aramco to solve, although the specific reason remains unknown


Some of this data includes:

  • Name, photo, passport copy, email, phone number, residence permit (Iqama card) number, job title, ID numbers, family information, and more for 14,254 employees.
  • Project specifications for electrical/power, architectural, engineering, civil, construction management, environmental, machinery, vessels, telecommunications, and other systems.
  • Reports on internal analysis, agreements, letters, price sheets, and so on.
  • IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices are all plotted out on the network layout.
  • Detailed coordinates and a map of the location.
  • A list of Aramco’s clients, including with invoices and contracts, are available.


Personal identifiable information (PII) has been removed from the ZeroX samples provided on the leak site, and a 1 GB sample alone costs US$2,000 in Monero (XMR).


A party seeking an exclusive, one-time sale can expect to pay up to $50 million.


Even while some have speculated that this is a “ransomware attack,” both the threat actor and Saudi Aramco have stated that this is not a ransomware attack.



You might also like:


American fashion brand Guess suffers data breach

Mint Mobile data breach: Hackers accessed personal data

Morgan Stanley suffers data breach: Report