Halliburton discovered unauthorised access to its networks, although the exact nature and behavior of the attack have not been disclosed. Consequently, Halliburton took some of its systems offline to mitigate any potential impact. The outage caused a serious interruption, preventing customers from generating invoices or purchase orders.
This incident shows the vulnerabilities in the energy sector, which is increasingly vulnerable to attacks by attackers that target critical infrastructure. In a report with the SEC, Halliburton said that on August 21, 2024, an unidentified group initiated a cyberattack against the company.
Erle P. Halliburton founded Halliburton in 1919, and it has since grown to become one of the largest suppliers of oil field services globally. With its head office in Houston, the business provides a wide range of products and services to the energy sector and has operations in seventy different countries.
The company provides a wide range of services to oil and gas industries, including well construction, drilling, hydraulic fracturing (fracking), and IT solutions. This broad service range creates strong relationships between the company and its clients.
The Mystery Behind Halliburton’s Ransomware Attack
The company has not disclosed any details about the breach, leaving customers, particularly those in the oil and gas industry, uncertain about whether they were impacted or how to protect themselves.
The access technique remains undisclosed, and the exact compromised systems are unknown. However, the scale of the breach prompted Halliburton to submit a Form 8-K with the United States Securities and Exchange Commission (SEC) on August 23, 2024. Publicly traded companies must make this file whenever a significant event occurs.
The instant activation of Halliburton’s cybersecurity response plan implies a major security event, even though the Form 8-K did not disclose the nature of the assault or the severity of the damage. The company’s preparedness indicates it had procedures for such situations.
Halliburton informed suppliers via email on August 26 that they have taken their systems offline out of caution and are working with Mandiant to investigate the situation. Halliburton’s email services remain operational, even if their on-premises servers are unavailable, due to their hosting on Microsoft Azure.
There’s also a solution for generating and executing purchase orders. Along with file names and IP addresses connected to the attack, the email also included a list of Indicators of Compromise (IOCs).
One IOC includes a Windows application titled “maintenance.exe,” which has been identified as a RansomHub ransomware encryptor. Analysis suggests that this sample is a more recent version, featuring a new “-cmd string” command-line option that executes a command on the device before encrypting data.
The RansomHub ransomware campaign, which began in February 2024, claims to be a data theft and extortion group focused on selling stolen files to the highest bidder.
It was soon revealed that RansomHub not only facilitated ransomware attacks but also employed its own encryption tools in a double-extortion scheme.
There have been other cyberattacks targeting the energy sector in addition to the one that targeted Halliburton in 2024. A cyberattack on Colonial Pipeline in 2021 caused significant disruptions to the US energy industry.
The 2024 Halliburton attack mostly affected internal operations without affecting energy services, opposite to the 2021 Colonial Pipeline attack, which resulted in an urgent gasoline crisis throughout the Eastern United States.
The importance of cybersecurity measures in securing vital infrastructure is made clear by these two incidents. The FBI disclosed the threat actor’s strategies in a RansomHub notice, alerting readers to its findings that at least 210 individuals had been compromised since February.
It is usual for the FBI and CISA to provide synchronised advisories on threat actors shortly after they execute a high-impact attack on important infrastructure, such as Halliburton.
The government advisory notes that RansomHub victims come from various critical infrastructure sectors, including water, IT, government services, healthcare, emergency services, financial services, food and agriculture, commercial facilities, key manufacturing, communications, and transportation.
Notably, the advice excludes the energy industry, including oil corporations, indicating that its disclosure may not be related to the Halliburton attack.
Reducing an organisation’s susceptibility to a successful attack should be at the forefront of any cyber-risk decision making as we move into this next phase of attack sophistication and complexity.
Successful ransomware attacks are most often preceded by phishing emails. Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.