Halliburton reveals data stolen in August cyberattack


Oilfield servicing giant Halliburton said on Tuesday that company data was stolen by the attackers responsible for an August 21st breach. This is as media reports identify the perpetrators as the RansomHub ransomware gang.

In an updated 8-K breach notification filed with the US Securities and Exchange Commission (SEC) dated August 30th, Halliburton stated that the unauthorized third party not only accessed its systems but was further able to “exfiltrate information from the Company’s systems.”

“The Company is evaluating the nature and scope of the information, and what notifications are required,” it said in the amended 8-K.

On the day of the attack, Halliburton had instructed staff at its Houston, Texas headquarters to disconnect from its systems while it attempted to isolate the attackers, minimize damage, and immediately notify law enforcement.

According to the most recent SEC filing, the incident had caused “disruptions and limitation of access to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions.”

Halliburton amended SEC filing August 30
Halliburton amended 8-K filing with the US Securities and Exchange Commission

It’s not clear how long the third party may have been inside “certain” company systems, or how much data may have been exfiltrated by the attackers.

Halliburton said the investigation and “assessment of the impacted data” is still ongoing, including the restoration of its systems.

In a statement sent to Cybernews the day of the attack, a Halliburton spokesperson said the company had activated its “preplanned response plan” and that its IT teams were “working internally, and with leading external experts, to remediate the issue.”

Further media reports stated the attack impacted business operations at Halliburton’s North Belt campus in Houston, as well as some global connectivity networks.

RansomHub gang allegedly linked to attack

On August 23rd, just a few days after the attack, security researcher Dominic Alvieri on X singled out the RansomHub cybercriminal group as the alleged attackers.

Cybernews tried to verify by checking RansomHub’s dark leak blog but did not see Halliburton posted as one of its many victims. It's often customary for ransomware groups to avoid identifying their victims publicly unless ransom negotiations have broken down.

That absence of stolen data samples leads Cybernews to believe that Halliburton is in talks to pay the gang a hefty ransom demand.

On August 29th, tech news outlet Bleeping Computer published a report confirming evidence linking RansomHub to the attack, which included a portion of the alleged ransom note posted on Reddit.

Furthermore, Bleeping Computer was able to view a copy of an email from Halliburton sent to suppliers with a list of indicators of compromise (IOCs), which happened to include an updated version of a RansomHub ransomware encryptor among the list.

Meantime, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory about the RansomHub gang on August 30th due to their accelerated rise to the top of the ransomware food chain in the past few months.

According to the advisory, which provides a full list of known IOCs, including IP addresses, tools, known URLs, email addresses, and more, the cybercrooks have breached at least 210 victims since its inception in February 2024.

Determining impact

Halliburton is the second largest oilfield servicing company in the world, with additional corporate headquarters in Dubai, operations in 70 countries, and 40,000 international employees.

The company reported in its latest breach notice that material impact on finances and operations is likely limited.

Halliburton said it has been communicating with its customers and other stakeholders, as well as following protocols for “ongoing operations under the Halliburton Management System.” while determining the overall impact.

Considered by security experts as a critical infrastructure attack, threat actors targeting the energy sector have created major fallout in the past.

In 2021, American fuel supplier Colonial Pipeline was the victim of a ransomware attack that shut down its network systems for nearly a week.

The infamous attack, which coincided with the end of the COVID-19 pandemic, had such an impact on the fuel supply chain it led to soaring prices, fuel shortages, and panic-hoarding at gas pumps across the Southeast part of the US.