Hackers claim to target Brazil’s oil giant Petrobras

A Russia-linked ransomware gang claims it has snatched 90GB of sensitive seismic and exploration data from Petrobras, pressuring the Brazilian petroleum giant to negotiate. The company says the breach involves a third-party and its systems remain unaffected.

The Everest Group, a Russia-related ransomware gang, has targeted Brazil’s petroleum giant Petrobras, according to the cybercriminals’ claims on their leak site on the dark net.

Petrobras, officially Petróleo Brasileiro S.A., is a Brazilian multinational corporation in the oil and gas industry. Founded in 1953, it is half-owned by the state. In 2024, the company boasted over $91 billion in annual revenue.

The gang gave the company six days to make contact and discuss the ransom before the data is publicly released or sold to other cybercriminals. This is a common tactic used by cyber gangs to pressure companies into paying up.

Petrobras told Cybernews it has no record of unauthorized access to its internal systems. Petrobras reiterated that “all sensitive and strategic company data remains secure, in accordance with the most rigorous information security standards.”

According to Petrobras, it was informed of an isolated incident related to an exploration service provider, meaning the intrusion does not affect the company's operations, clients or employees.

Meanwhile, the attackers' post claims to have stolen 90GB of Petrobras data, including:

Raw seismic navigation data on hand, including ship coordinates
OBN node positions
DGPS accuracy
Quality control data for the survey lines
Reports on shots and source directions
Hydrophone and source depths
Shot pressures
Metadata on equipment
Node configurations
Initial QC reports on system status
PDF files summarizing the survey progress
Preliminary QC results and line-by-line conclusions
Distances and directions between sources and nodes
Ship movement parameters and equipment orientation

As claimed, the data includes Campos Basin 3D and 4D seismic survey information. Petrobras has recently announced that it has identified the presence of quality oil in the post-salt layer of the Campos Basin, located offshore in the Atlantic Ocean, along the coast of southeastern Brazil, in front of the states of Rio de Janeiro and Espírito Santo.

If the attacker's claims are legitimate, the data could be related to the recent research conducted by Petrobras in the area.

“The drilling of this well has already been completed. The oil-bearing interval was confirmed through electrical logs, gas indications, and fluid sampling,” wrote the company in a press release, which it published on the same day the ransom notice appeared on the dark net.

Petrobas ransomware attack — Screenshot of the gang's leak site.

From the data sample, there is no indication that attackers have real-time access to the company's data, so the ships and drilling infrastructure may not be at direct risk of espionage attacks.

“The impact of this leak is mostly reputational, and it could reduce competitive advantage for the company as the exposed navigation data and reports could indicate ship positioning and used equipment,” commented Cybernews researchers who investigated the data samples.

Cybernews has reached out to the company for confirmation, but a response has yet to be received.

Who is the Everest Group?

The Everest gang first emerged on the scene in July 2021. The group has been actively targeting critical infrastructure this year. Just this month, the gang targeted Italian gas giant, SIAD Group. The company confirmed the breach, stating that it did not affect “continuity of operations.”

The most disruptive attack conducted by the gang this year affected the aviation sector.

The Everest Group targeted aviation giant Collins Aerospace.

The company’s MUSE check-in software is used by several major European airports to manage check-in and boarding systems. A devastating attack on the company’s systems froze European airports.

The group ultimately released 23GB of data allegedly belonging to Collins Aerospace on the dark web.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

The gang also threatened to release extensive passenger data from Dublin Airport in connection with the Collins Aerospace breach. The link to allegedly stolen data was dropped on November 11th. However, the link was later taken down by the gang.

In September this year, the gang claimed BMW as a victim. It also claimed that it breached a subsidiary of Germany's second-largest bank, DZ Bank, and threatened to release stolen data. However, the bank denied that any such attack had taken place.

In July, the group claimed Mailchimp, the popular email marketing platform, along with a cache of “internal company documents.”

In May, Everest set its sights on Coca-Cola’s Middle East division, eventually leaking the data of nearly 1000 employees from the company’s multiple distribution centers.

Seemingly part of a broader attack on Coca-Cola Europacific Partners, the world’s largest Coca-Cola bottler, the ransomware group allegedly stole 23 million records.

Just days after the attack on Coca-Cola, Everest claimed the prominent international private hospital Mediclinic, which has locations in the UAE, the Abu Dhabi Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB).

The gang was also behind the October 2022 attack on AT&T, allegedly offering access to the entire AT&T corporate network, as well as the Radisson Country Inn and Suites hotel chain in fall 2024.

Hackers claim oil giant Petrobras, alleging oil-rich maps theft

Who is the Everest Group?