Oil service giant Halliburton suffered an apparent cyber attack that affected operations at the Houston campus and multiple global networks.
Halliburton is the world’s second-largest oil service company, providing oil exploration and drilling management services. The energy sector contractor employs over 50,000 people in over 70 countries and reported $23.02 billion in annual revenue in 2023.
“We are aware of an issue affecting certain company systems and are working diligently to assess the cause and potential impact,” Halliburton’s spokesperson said.
The Houston- and Dubai-based company said it activated incident response protocols and engaged cybersecurity experts to investigate and resolve the issue.
“We have activated our preplanned response plan and are working internally, and with leading external experts, to remediate the issue,” said Halliburton.
However, Halliburton refrained from describing the incident as a cyber attack despite the telltale signs of a ransomware incident.
Halliburton confirms a cyber attack
In a Form 8-K regulatory filing with the US Securities and Exchange Commission (SEC), Halliburton said it had learned of an unauthorized third party “access to certain of its systems.”
The oil sector contractor said it took some computer systems offline, notified law enforcement agencies, and launched an investigation to determine the materiality of the apparent cyber attack. Since July 2023, the SEC requires publicly traded companies to disclose the material impact of a cyber attack.
Halliburton also said it was in contact with customers and stakeholders to navigate the uncertainties of the cyber attack. However, the company did not provide a definite timeline for restoring the impacted systems.
“The Company is following its process-based safety standards for ongoing operations under the Halliburton Management System, and is working to identify any effects of the incident,” the energy contractor stated.
While the Halliburton cyber attack remains shrouded in mystery, social media reports suggest that the incident had stemmed from a cloud-based system.
The company reportedly told employees to disconnect from the network and record their hours manually. Other reports suggest the cyber attack leaked a significant amount of data.
“While this is purely speculation as only Halliburton officials and their security team knows what is causing disruptions due to the cyberattack, it wouldn’t surprise me to learn that ransomware is the culprit,” said Jim Doggett, CISO, Semperis.
No cybercrime group has claimed responsibility for the Halliburton cyber attack and a comment from the Cybersecurity and Infrastructure Security Agency (CISA) was not immediately available.
However, the Department of Energy told CNN it was aware of a reported cyber attack, although “there are no indications that the incident is impacting energy services.”
“While the specifics of the attack are still unclear, it’s likely that this wasn’t a highly complex operation,” said Richard Caralli, Senior Cybersecurity Advisor at Axio. “Much like the incidents at Colonial Pipeline, Caesars, MGM, and Clorox, the attackers may have taken advantage of simple, preventable errors—gaps in fundamental cybersecurity practices that were either inadequately implemented or not maintained over time.”
According to Nick Tausek, a Lead Security Automation Architect at Swimlane, the cyber attack on a global provider of oil drilling services “underscores the urgent need for more robust and proactive cybersecurity measures.”
Another cyber attack on US critical infrastructure
CISA identifies 16 critical infrastructure sectors, including the energy sector, whose disruption “could have potentially debilitating national security, economic, and public health or safety consequences.”
Critical national infrastructure (CNI) organizations have frequently suffered cyber attacks by cybercriminals, who prioritize profit above everything else.
“The one constant that does exist in cyberattacks is the criminal intent of the threat actors. They are coldblooded and typically motivated by financial gain,” Doggett added.
In 2023, the FBI recorded 1,193 ransomware attacks targeting CNI entities, marking a 37% increase over 2022.
In May 2021, Colonial Pipeline suffered a ransomware attack that disrupted operations along the US East Coast. The incident stopped the flow of approximately 100 million gallons of oil from Houston to the New York Harbor, causing shortages and panic hoarding.
In July 2024, a Sophos report found that while the frequency of ransomware attacks fell globally, the recovery time for utilities, energy, and oil and natural gas increased.
“Typical ransomware attacks will take an organization offline for at least seven days and will often take more than a month to recover completely,” said Erich Kron, Security Awareness Advocate at KnowBe4.