Petróleos Mexicanos, or Pemex for short, was recently victim of a cyber attack using a ransomware. The attackers have demanded 565 Bitcoin (approx. 4.52 million Euro) to decrypt the data. However, Pemex has already announced that, as a serious company, it will not finance gangsters and therefore will not pay anything. Important affected data was backed up and recoverable after the systems had been cleaned.
Pemex publishes: Only a small part of the network affected
According to Pemex press release (in Spanish), only five percent of company PCs are affected by the attack. Also the operative network area (OT), for the control of operation and production, should not be affected. Nevertheless, various media sources claim to have learned from internal sources that Pemex is urging its employees not to connect to the network and to secure important data externally. According to employees, there is also the possibility that the company will not be able to pay the employees, as booking systems are also said to be affected by the ransomware attack.
Mexico’s largest oil and gas utility itself conducts exploration and production projects that produce around 2.5 million barrels of oil and more than 170,000 cubic meters of natural gas a day. Pemex lists six refineries, eight petrochemical complexes and nine gas processing complexes to operate. The company also reports that it manages 83 land and sea terminals, oil and gas pipelines, ocean-going vessels and various ground transportation fleets to supply more than 10,000 service stations in Mexico.
Intensified attack focus: Critical infrastructure
The last few years have seen an increase in cyber attacks on critical infrastructures, such as oil and gas companies and power utilities. In a report in April 2019, F-Secure highlighted the development in attacks on industry and critical infrastructures: the energy industry is increasingly threatened by cyber espionage and sabotage attacks. A little later, the German Federal Office for Information Security (BSI) came to a similar conclusion. In its new report on IT security in Germany, the BSI evaluated various attacks of the previous year and presented the background. Overall, the BSI regards attacks on critical infrastructures as one of the greatest challenges in the area of cybersecurity in the coming years. Since the criminal groups mentioned in the BSI report also operate worldwide, the BSI analysis also affects all other industrial nations. This is confirmed by the attack on Pemex, where the attackers could have chosen their target based on the large size of the attack surface available to them and the public pressure which would follow, assuming this would lead to swift payment of the ransom.
Expert comment on the Pemex attack by Sami Ruohonen, Labs Threat Researcher at F-Secure
The current attack on Pemex with ransomware seems to be a targeted attack of a financially motivated organized crime group.
The DoublePaymer ransomware used in the Pemex attack was used for the first time in 2019. It is probably a further development of the Bitpaymer Ransomware. Its developer, the Bitpaymer Group, is notorious for targeted ransomware attacks and the adjusted decryption prices.
Pemex’s $5 million (565 Bitcoin) ransom is high, yet well backed by Pemex’s 2018 net revenue ($85.41 million according to statista.com). This can be interpreted as an indication that the attacker evaluates the victim’s solvency. The payment page in the Tor network was also addressed directly to Pemex.
Presentation: “Cybersec in Energy” on 22.11.19 in Helsinki, Finland
The exclusive meeting will feature various presentations on cyber security in the energy sector. The non-availability of an energy supply has a considerable potential impact on the economy and the smooth functioning of civil society. A possible disruption could affect society, industry and trade with a high risk to GDP. It is important that energy operators consider cyber-safe practices as an integral part of their daily lives.
To this end, the Smart Energy Finland programme is organising a seminar containing views from different parts of the energy sector. Speakers from utilities, researchers and specialists from security companies will be present. To conclude, there will be a panel with all speakers focusing on cybersecurity levels in Europe.
Online is an agenda for the conference, which will take place on 22 November 2019 in Helsinki at Messukeskus.