Saudi Aramco 2021 contractor data extortion
A threat actor calling itself ZeroX exfiltrated 1 TB of Saudi Aramco data through a third-party contractor and demanded a $50 million ransom, posting samples on a hacking forum behind a 662-hour countdown.
- Victim
- Saudi Aramco
- records
- 14.3K
- users
- 14.3K
In July 2021, the world's largest oil producer, Saudi Aramco, confirmed that 1 terabyte of its proprietary data had been stolen and was being used in a cyber-extortion scheme. A group calling itself ZeroX demanded a $50 million ransom β but, unusually, the company's own networks were never breached.
What happened
The data first surfaced on 23 June 2021, when a seller on the RaidForums cybercrime marketplace advertised 1 TB of Aramco files. ZeroX claimed the trove had been obtained roughly a year earlier by exploiting a zero-day vulnerability, though it declined to provide specifics. Crucially, Aramco stated the data came not from its own systems but from one of its third-party contractors β a classic supply-chain compromise.
ZeroX turned the extortion into a public spectacle. On the forum, the group posted a 662-hour countdown timer before negotiations would begin, framing it as a "puzzle" for the oil giant. The opening price was $5 million, with an "exclusive" buyout option reported at $50 million, payable in the privacy coin Monero.
Impact
- The leaked archive contained roughly 14,254 employee records, including names, photographs, passport and ID scans, emails and phone numbers.
- It also held project specifications, internal reports, network topology diagrams, and client lists, with files dating back to 1993.
- Aramco emphasised that the incident had no impact on its operations and that the breach did not touch its core OT or production systems.
- No public evidence indicates Aramco paid the ransom; the data was offered for sale to any buyer.
Attribution
The actor is known only by the handle ZeroX. Whether ZeroX was the original intruder or simply a broker reselling data stolen by another party was never resolved. No nation-state attribution was made, and the operation appeared to be purely financially motivated cybercrime rather than sabotage.
Why it matters
Coming nearly a decade after the destructive 2012 Shamoon attack, this incident showed how Aramco's risk had shifted from wiper sabotage to supply-chain data theft. The company hardened its own perimeter after 2012, so attackers pivoted to its weaker contractors and vendors. The case became a reference point for third-party risk management in the energy sector, underscoring that even an organisation with world-class internal defences can be extorted through the data it shares with partners.
Timeline
A threat actor on the RaidForums marketplace advertises 1 TB of stolen Saudi Aramco data, with files dating back to 1993.
ZeroX begins negotiations, posting a 662-hour countdown timer and a starting bid of $5 million for the dataset.
Saudi Aramco confirms a data leak, stating it originated with a third-party contractor and did not affect its own operations.
Media report the extortion demand at $50 million, payable in Monero cryptocurrency.
Aramco reiterates that the breach had no impact on operations and that it maintains a robust cybersecurity posture.
Sources
- aljazeera.comhttps://www.aljazeera.com/economy/2021/7/21/saudi-aramco-confirms-data-leak-after-reports-of-cyber-ransom
- techradar.comhttps://www.techradar.com/news/saudi-aramco-hit-by-1tb-data-breach
- flashpoint.iohttps://flashpoint.io/blog/saudi-aramco-data-breach-highlights-risks-to-oil-and-gas-industry/
- cpomagazine.comhttps://www.cpomagazine.com/cyber-security/third-party-security-failure-caused-1-tb-data-breach-at-saudi-aramco-hackers-play-puzzle-games-with-oil-giant/