Throwback Attack: Hackers demand $5 million from Mexican oil and gas giant in Pemex cyberattack

Courtesy of Brett Sayles

News that a ransomware attack shut down the pipeline that provides the East Coast with nearly half of its fuel sent shockwaves through the energy and cybersecurity communities earlier this week. Though a cyberattack has never taken down a U.S. fuel source as big as the Colonial Pipeline before, Colonial is far from the first energy asset to get targeted by cyber criminals. On Nov. 10, 2019, hackers attempted to extort Mexican oil and gas giant Petroleos Mexicanos, or Pemex, in a brazen cyberattack that fouled the company’s communications systems for weeks.

Critical national infrastructure such as electrical grids and oil and gas pipelines are attractive targets for cyber attackers because of their obvious strategic importance. If a bad actor can take down a key energy system, it can cause major disruptions to entire nations or simply turn a quick and tidy profit. Following the Colonial attack, fears of rising gas prices have run rampant throughout the U.S.

“This is something that happens to infrastructure all the time,” said Tyler Whitaker, chief technology officer (CTO) and chief operating officer (COO) of Leading2Lean. “It’s easy to do, and you don’t need to be a nation-state to do it, which means that the number of active players out there is only growing over time.”

The Pemex cyberattack was a complicated drama, with the hackers hoping to squeeze 565 Bitcoins, or around $5 million, out of the company and Pemex refusing to pay the ransom. Pemex reported that the attack affected less than 5% of its devices. Still, it crippled the company’s computer systems and impacted its communications for weeks. Just days after the malware was uncovered, Pemex released a statement saying the situation was “totally under control” and that its oil and gas operations were not disrupted, but that conflicted with what employees on the ground were saying.

In reports by Reuters and Bloomberg News, workers spoke of having limited internet access and difficulty retrieving emails and files. Many administrative functions, including payment processing, were also disabled, forcing employees to do the tasks manually, while Pemex personnel wiped affected computers and installed necessary software patches.

The hacker used the name Joseph Atkins, almost certainly an alias, in an email viewed by Bloomberg and claimed his group was also behind the July 2019 phishing attack on Downers Grove, Illinois, truck freight provider Roadrunner Transportation Systems.

“They did not pay and recovered themselves, and left us GBs of their data,” the hacker wrote, in a veiled threat aimed at Pemex.

According to reports, the attackers behind the Pemex cyberattack provided a three-week deadline of Nov. 30 to deliver the ransom payment. “The faster you get in contact, the lower price you can expect,” the email said.

Whether or not to accede to hackers’ ransom demands is always a complicated decision. While some companies refuse to pay, others are advised that a quick payment is the best way to restore operations to normal. Much of this depends on whether organizations have a solid backup they can use and the time and effort it would take to implement it. Without a good backup, many see paying the ransom as the only expedient option. But even companies that do pay don’t always get their files back in one piece.

The type of malware used in the Pemex cyberattack was not identified. Some first thought it shared traits of the Ryuk ransomware, but most now believe it was DoppelPaymer, which is often deployed against large enterprises. DoppelPaymer is a form of ransomware designed to prevent victims from accessing their data by encrypting sensitive files. Attackers generally ask for a ransom in digital currency to restore the original files and then threaten to leak the files if no payment is made.

According to technology website Bleeping Computer, DoppelPaymer’s ransom-payment portal features the following statement:

“We have gathered all your private sensitive data. Some sensitive [sic] information stolen from the file servers will be disclosed to public or sold to a re-seller if you decide not to pay. It will harm your business reputation.”

DoppelPaymer is a relatively new form a malware that emerged as a significant threat in 2019. Since then, it has been used in a string of high-profile attacks on entities like Visser Precision, a supplier of SpaceX and Tesla; Los Angeles County; Kia Motors; and Chile’s Agriculture Ministry. In December 2020, the FBI released a private industry notification to warn of increasing DoppelPaymer attacks on critical infrastructure targets such as health care, emergency services and education.

“Since its emergence in June 2019, DoppelPaymer ransomware has infected a variety of industries and targets, with actors routinely demanding six-and seven-figure ransoms in Bitcoin (BTC),” the FBI said in the alert.

At the time of the attack, Pemex, Mexico’s state-owned petroleum company, had fallen on hard times, with declining oil output and increasing debt. However, it was still one of the largest petroleum companies in the world and a major source of revenue for Mexico’s federal government.

“One of the big concerns I have from the industry in general is the economic drag it takes just to play the game, just to be diligent and respond to these attacks,” Whitaker said. “That’s a big economic impact to these attacks that I think probably flies under the radar a little bit when we’re thinking about infrastructure attacks where settings could be changed, power grids could go down, nuclear launch codes could become available. I think we also need to consider the economic effects of the drag on the economy because of cybersecurity attacks.”




Keep your finger on the pulse of top industry news