Halliburton, the $27 billion by-market cap energy services firm, admitted Friday (August 23) that "an unauthorized third party gained access to certain of its systems."
Confirming what had been widely reported as a significant cyber-incident (The Stack on August 22 reported that the company had “activated our preplanned response plan”) Halliburton made the update in a mandatory SEC filing today.
Halliburton said it learned of the breach on August 21 – and has since "launched an investigation internally with the support of external advisors to assess and remediate the unauthorized activity. The Company’s response efforts included proactively taking certain systems offline to help protect them and notifying law enforcement."
Read this: Contested new SEC cyber rules are go...
Its SEC filing suggests without explicitly stating so that the incident is a ransomware attack, saying its "ongoing investigation and response include restoration of its systems and assessment of materiality" and that it is following its "process-based safety standards for ongoing operations under the Halliburton Management System."
The oilfield services specialist has nearly 48,000 staff and serves many of the world’s leading energy companies. Its previous filings suggest, on paper, a mature cybersecurity posture, with its board of directors receiving quarterly cybersecurity updates.
The incident had not yet impacted any energy services, a spokesperson for the U.S. Department of Energy said on Thursday, telling press that the DOE was coordinating with inter-agency partners on the attack.
Halliburton cyber-incident: Details thin
The scale of the incident, first reported by Reuters, remains unclear but the newswire said it impacts “business operations at the company's north Houston campus, as well as some global connectivity networks.” Staff commenting on social media said they had been told not to connect any devices to Halliburton networks amid a scramble to contain the incident.
Halliburton in 2020 announced plans to migrate a significant amount of its IT infrastructure to Microsoft Azure by 2022. Unconfirmed social media posts suggested the cyber-incident affected its cloud-platforms.
See also: Veeam bites the bullet, embraces Linux
As well as oilfield services like drill rig provision, Halliburton now also provides software to exploration and production (E&P) partners under a “Landmark” banner that includes reservoir modelling systems and more. It was not immediately clear if these were among the affected systems.
The company claimed a mature cybersecurity posture in its last annual report highlighting its “Defense-in-Depth design philosophies for Information Technology (IT) and Operational Technology (OT) systems.”
These, it said, include:
■ Multi-factor authentication, which verifies users’ identities beyond their credentials
■ “Zero trust,” which establishes layers of protection for users and devices
■ “Least privilege,” which limits the content individual users can access
We await further details and will update when we have them.
Ransomware attacks earned cybercriminals over $1 billion in ransom payments in 2023 alone. Recovery is typically painful: Attackers often aim to seek and destroy/encrypt backups too – something that triggered one 2022 victim to promise a massive overhaul of its cold storage strategy.
Domain-joined backups are often easy targets in such attacks. Access to the offline ones is slower and can require convoluted manual processes (like accessing decryption keys in a safe, physical data centre access, or restoration from tape) and restoration under such scenarios is not always well-rehearsed.
As Secureworks' Alex Papadopoulos earlier put it in The Stack: “If you have a fully bricked system you will need to start by reinstalling the operating system first, then applications and services, before being ready to restore any data from backups – what we call a bare metal restore."
See also: EquiLend confirms ransomware attack has crippled $2.4 trillion NGT trading platform
In one incident response engagement Papadopoulos recalled “the impacted organisation had backups which survived the intrusion and ransomware. What didn’t survive was the victim’s Active Directory. Functionally, they couldn’t even start the process of restoring because their backup solution required AD to log in. They needed to authenticate, and nothing worked.”
He added: "To build resilience and be capable of recovering from ransomware, businesses must plan for failure, which means you need good backups but you should also ask the following questions:
- Have you taken the time to consider, test and document how you can recover under all the scenarios [you've] looked at?
- How many systems do you have to potentially recover? What are the complexities? How quickly can you do it?
- Do you have an alternative infrastructure in place, or the means to secure such infrastructure quickly, to keep the business running while you do the full restoration?
- Have you tested and do you have the capability to restore your Active Directory or whatever identity and access management (IAM) technology you use?
"Ransomware remains a very real and potentially very costly threat to businesses. It’s crucial to have solid cyber hygiene. Prevention will always better than cure, so make sure you have best in class detection and prevention in place. But attacks happen, so invest in, understand and test your entire recovery strategy."
Know more about the scope of the incident? Get in touch.
Hugops to those firefighting.
