Halliburton has said it lost $35m from a systems breach in August. The incident disrupted and limited access to key systems at the oil services company. The breach, which also led to the exfiltration of some of Halliburton’s data, was subsequently revealed to be an attempted ransomware attack. It is unclear whether the $35m loss was the cost involved in repairing Halliburton’s damaged systems or a ransom paid to recover lost data. Tech Monitor has approached the firm for clarification.
“We experienced a $0.02 per share impact to our adjusted earnings from lost or delayed revenue due to the August cybersecurity event and storms in the Gulf of Mexico,” said Jeff Miller, the oil company’s chairman and CEO, in an SEC filing. However, Miller was keen to point out that the incident had little material impact on Halliburton’s operations. “Our full-year expectations for free cash flow and cash return to shareholders remain unchanged, and we expect both to accelerate in the fourth quarter.”
Halliburton hack resulted in indeterminate data loss
Founded in 1919, Halliburton is one of the world’s most successful oil services corporations, employing 55,000 staff in over 70 countries. In late August it was breached by RansomHub, a ransomware collective that has extorted over 200 victims since its emergence earlier this year. In the case of Halliburton, the gang “accessed and exfiltrated information” from its systems, according to a 30 August SEC filing – though what it was remains undetermined. This made a change from the firm’s initial statement about the incident where it claimed that the attack had resulted in some disruption but was unlikely to have any serious long-term impact.
“The Company has incurred, and may continue to incur, certain expenses related to its response to this incident,” said Halliburton at the time. “As of the date of this Current Report on Form 8-K, the Company believes that the incident has not had, and is not reasonably likely to have, a material impact on the Company’s financial condition or results of operations.”
Latest success for Ransomhub
Precisely how the threat actors penetrated Halliburton’s systems remains unknown – though cybersecurity experts have speculated that the method of entry, like so many other incidents of its ilk, was prosaic. “It’s likely that this wasn’t a highly complex operation,” Axio’s senior cybersecurity advisor, Richard Caralli, told Security Magazine. “Much like the incidents at Colonial Pipeline, Caesars, MGM and Clorox, the attackers may have taken advantage of simple, preventable errors – gaps in fundamental cybersecurity practices that were either inadequately implemented or not maintained over time.”
The Halliburton hack was the latest in a string of successes for Ransomhub, which according to CISA has successfully exfiltrated data from scores of different industries. The group is “ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV),” its advisory on the organisation added. “Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors. “