Saudi Aramco Ransom Highlights Risk to Crown Jewels from Third-Party Shares

27/07/2021 • Gabriel Avner

Reports that a terabyte of data belonging to Saudi Aramco had been stolen began streaming out earlier this month, marking yet another high-profile incident for Saudi Arabia’s national oil company.

According to reports in Bleeping Computer that first broke the story, a crew calling themselves “ZeroX” –– because Zero Cool and Crash Override were apparently already taken –– took possession of copious amounts of proprietary data and personnel records going back from 2020 to 1993.

In their messaging with journalists, the hackers claimed to have data including:

  1. Full information on 14,254 employees: name, photo, passport copy, email, phone number, residence permit (Iqama card) number, job title, ID numbers, family information, etc.
  2. Project specification for systems related to/including electrical/power, architectural, engineering, civil, construction management, environmental, machinery, vessels, telecom, etc.
  3. Internal analysis reports, agreements, letters, pricing sheets, etc.
  4. Network layout mapping out the IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices.
  5. Location map and precise coordinates.
  6. List of Aramco’s clients, along with invoices and contracts.

(Source: Bleeping Computer)

The crew is demanding $5 million for the full terabyte of stolen data, but that arrangement appears to be non-exclusive. A single party (presumably Saudi Aramco) seeking to take control of the dump and have ZeroX destroy their copies is expected to pay out a whopping $50 million.

In response to the breach, Saudi Aramco put out a statement claiming that the attack had occurred at a third-party contractor and that their systems had not been compromised.

While this may be good news on the face of it, it leaves open questions about why the organization had so much important data shared with third parties. Especially if the external body was apparently not well secured.

With the information available, we can identify several authorization missteps on the part of Saudi Aramco that may have contributed to their current unfortunate situation.

Identifying Your Crown Jewels

Data loss is never a good thing, but there are degrees of bad.

If some internal emails discussing strategy leak out or encrypted data are exposed in an S3 bucket, then it is not the end of the world. Though ask Sony how bad leaked emails can be and you might get a different answer.

Then there are situations where the organization’s Crown Jewels are compromised, and people start to sweat.

Crown Jewels are the sensitive assets that can have a significant impact on an organization if they are compromised. They include data pertaining to intellectual property, financial data, personally identifiable information (PII), or sensitive customer information.

Looking at this recent case, the company suffered several types of Crown Jewel exposure.

  • Personally Identifiable Information (PII) of their workers
  • IP for their sites and systems
  • Internal information and assessments
  • Financial information like invoices and contracts

Looking at this recent case, the company suffered several types of Crown Jewel exposure.
This last point is likely to be the most painful as it is likely to reveal highly confidential prices and discounts that the company had with their clients, diminishing their negotiating position moving forward.

Understanding which of your assets are your Crown Jewels plays an important part in prioritizing to what extent you secure them. Part of this assessment determines how much risk you are willing to take on concerning these assets. Including whether you should allow them to be shared outside the organization.

Challenges of Third-Party Asset Sharing

It is unclear at this point if these important assets were held by Saudi Aramco and shared externally with the third-party that was compromised in the attack, or if the assets were simply in the possession of the third-party.

But this case does highlight the risk of sharing your assets externally.

Sharing important assets with external entities is risky for a few reasons. The primary factor being the lack of control over those accounts since they exist outside of your organization.

There are plenty of good reasons for sharing assets externally with partners and contractors. The problems comes when organizations make bad decisions in what to share (i.e.. very sensitive data), or more commonly, leave those external identities with open-ended access to those assets and lose track of having done so.

3 Tips for Securing Your Crown Jewels and Locking Down External Access

Mistakes appear to have been made by the Saudi Aramco team, but they are not alone. Authorizations to assets in organizations are difficult to keep track of, even before adding elements like the external contractors.

Here are a few tips that can help to reduce the chances of sensitive data from being exposed to unnecessary risk.

  1. Identify your Crown Jewels
    Know which of your assets are highly sensitive and give them the extra security attention they deserve. The first step to protecting your assets is knowing which ones are high priorities, and where they are.
  2. Work to Achieve Observability and Implement Guardrails
    After you have done the work of mapping out your assets, you need maintain observability over them to stay on top of who is able to access them, which permissions (read, write, edit, admin, etc.) they have, and if any changes occur. This allows you to set policies that can be enforced with guardrails, notifying asset owners if a violation happens and allowing you to take the necessary action.

    This process should be continuous and automated for it to be most effective.

  3. Restrict External Sharing
    Best practices call for revoking external access to assets as soon as it is no longer required.

    It is easier to reshare an asset than deal with an exposure later.

Stick to the Principle of Least Privilege

Security is always a balance between usability and the desire to limit their exposure to risk.

This concept is best laid out in the Principle of Least Privilege that posits that you should only grant individuals enough access to assets for them to be effective at their job.

Any less access and they will not be able to function. Any more access and you are widening your threat surface unnecessarily, creating more opportunities for them to be compromised.

Assets pertaining to financial data that can harm future business, as well as personnel data that can bring regulatory repercussions should be well protected inside the organization. Sharing these types of data outside the organization may be unnecessarily risky.

External sharing of data outside the organization will always present challenges to security and should be avoided to the greatest extent possible when dealing with Crown Jewels.

For more information on how you can mitigate the risk to your Crown Jewels and take control over external shares, contact us today for a free consultation.

Next read

Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations