Dark Web actors offering 1TB stolen from Saudi Aramco

Previously unknown underground actor under alias Zerox296 has published a massive amount of data presumable belonging to petroleum giant Saudi Aramco for sale. 

Dark Web actors offering 1TB stolen from Saudi Aramco

The data which includes 1TB of various files ranging from engineering schemes, network infrastructure details, project documentation, IDs of employees and contractors is offered for $5,000, with the opportunity to buy it out with further removal for $50,000.  The payment is accepted in Monero (XMR), cryptocurrency with enhanced privacy providing threat actors better anonymity in receiving ransom payments from the victims. 

Interestingly, the posting has been published on July 14 on one of the major forums in the Dark Web, the day after the notorious ransomware group REVil has disappeared. The experts are speculating if it could be the work of affiliates of the group, or other actors have decided to use similar ‘hack-and-leak’ tactics to extort Saudi Aramco. 

On 15 August 2012, Saudi Aramco and Qatar’s RasGas suffered a major cybersecurity incident when more than 30,000 hosts had been attacked with by Shamoon malware (شمعون‎) also known as W32.DistTrack. 

Dark Web actors offering 1TB stolen from Saudi Aramco

A group named “Cutting Sword of Justice” claimed responsibility for an attack on 30,000 Saudi Aramco workstations, causing the company to spend more than a week restoring their services. Saudi Aramco noted that all infected workstations were cleared of the virus, and the systems responsible for oil production were not affected, since they are connected to a separate network.

As the result of the hack, the group had also published configurations of routers, Khalid A. Al-Falih, CEO, email account credentials, and access to security appliances. Another hacking group called Arab Youth Group also claimed responsibility for the attack, explaining it as a punishment for collusion between the Saudi Arabian government and the United States to support Israel.

However, there is no confirmation of this information from official sources. The experts clarified the use of Shamoon categorizing as cyberwarfare. In January 2017, computers went dark at the National Industrialization Company, Tasnee for short, which is one of the few privately owned Saudi petrochemical companies.

Computers also crashed 15 miles away at Sadara Chemical Company, a joint venture between the oil and chemical giants Saudi Aramco and Dow Chemical. The responsibility for this attack remains unclear, but Saudi Arabian security officials said that the country had been targeted as part of a wide-ranging cyber espionage campaign observed against five Middle East nations as well as several countries outside the region. 

It is not clear if the recent posting in Dark Web may be related to past events, but according to multiple sources, the information looks authentic and could be stolen from their employees or a third party including a contractor.  

This slideshow requires JavaScript.

Company: Saudi Aramco, officially known as Saudi Arabian Oil Company, is the world’s biggest oil producer

Locations: [Yanbu Refinery, Jazan Refinery, Jeddah Refinery, Ras Tanura Refinery, Riyadh Refinery, Dhahran Refinery]


  1. Project Specification: [Electrical, Power System, Architectural, Chief Engineering, Civil, Construction Mgnt, Environmental, Instrument & Control, Interface Mgnt, Machinery – Rotating, Mechanical – Vessels, Piping, Project Engineering, Safety Engineering, Telecommunications]
  2. Network Documents: [Internet Protocol, Scada Points, IP Camera, Wireless Access Point]
  3. Analysis Reports
  4. Project Design basis
  5. Unit Prices
  6. Agreements
  7. File Systems
  8. Saudi Bahrain Crude oil Pipeline
  9. Letters
  10. Location Map and Precise Coordinates
  11. Information Regarding Most Of The Employees
  12. Aramco’s Clients and more …

The data is also offered via a TOR page having an automatic payment module. 

According to Saraj Pant, cyber threat intelligence with Resecurity, Los Angeles-based cybersecurity company, it is early to determine the real impact of this leak: “The limited set of documents published in TOR contains speculative information. The most recent is a document dated October 29, 2014 – 2 years after the famous attack. It is possible the actors are selling the data available for them from the past, with the goal to extort the company“. 

The majority of the documents have the markings “Issued for Construction” (likely developed by a third-party) and 1 document has the marking “Restricted”. 

In 2020 Saudi Aramco confirmed an increase in attempted cyber attacks. The industrial sector remains one of the key targets of ransomware groups. This year oil giant Shell disclosed a major data breach linked to Accellion FTA vulnerability exploitation campaign – Clop ransomware gang took responsibility for the attack.

Update (July 18, 2021):

Editorial has been contacted by Zerox296 who clarified that he also has documents from 2020, and the price on this data now is $5M (for download) and $50M (for removal). According to the actor, he and his group identified a “zero-day vulnerability in cloud storage, and exploited it recently”.

We will continue to monitor the development of this activity.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts