The August 21 cyberattack on the US oilfield services contractor Halliburton is now feared to be a ransomware attack, according to an email reportedly sent to the company’s suppliers.
BleepingComputer accessed a copy of an email sent and reported that they had been able to confirm one of the indicators of compromise (IOCs) shared within the email “to be a RansomHub ransomware encryptor.”
Halliburton is one of the biggest oil service companies globally, responsible for most of the world’s largest fracking operations.
RansomHub encrypter found
The analysis of IOCs shared in the email, containing filenames and IP addresses, reportedly revealed a Windows executable named maintenance.exe, the one confirmed to be a RansomHub encryptor.
The connection, however, had already been made in several social media rumors but no evidence had yet been presented. Emails sent to Halliburton by CSO for comments did not elicit a response at the time of publishing this article.
“We are reaching out to update you about a cybersecurity issue affecting Halliburton,” said the email to suppliers. “As soon as we learned of the issue, we activated our cybersecurity response plan and took steps to address it, including (1) proactively taking certain systems offline to help protect them, (2) engaging the support of leading external advisors, including Mandiant, and (3) notifying law enforcement.”
Incidentally, the FBI and CISA have released a joint advisory on the Ransomhub Ransomware variant, calling it a formidable service model attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV.
“Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors,” CISA added in the advisory.
Halliburton sent into shutdown
The cyberattack had pushed Halliburton to shut down a few of its systems while it investigated the incident, according to the company’s SEC filing. Generating invoices and purchasing orders was temporarily affected but a workaround has since been made available, according to the email.
“On August 21, 2024, Halliburton Company became aware that an unauthorized third party gained access to certain of its systems,” the oilfield services giant said in the filing. “The Company’s response efforts included proactively taking certain systems offline to help protect them and notifying law enforcement.” Additionally, the company launched an internal investigation with the “support of external advisors to assess and remediate the unauthorized activity”, the filing added.