US Government Issues Advisory on Ransomware Group Blamed for Halliburton Cyberattack

The RansomHub ransomware group is believed to be behind the attack on oil giant Halliburton, and the US government has issued an advisory focusing on the cybercrime gang.

Halliburton, considered the world’s second largest oil service company, revealed on August 21 in an SEC filing that an unauthorized third party had gained access to some of its systems.

While no technical details were made public, the incident response steps described by the company suggested that it may have been targeted in a ransomware attack. 

Since the incident came to light, there have been several unconfirmed reports that RansomHub is behind the Halliburton incident, including from reputable ransomware researcher Dominic Alvieri. 

On Reddit, a few anonymous individuals mentioned RansomHub being behind the attack, with one claiming that data was stolen and that the cybercriminals had been demanding a $45 million ransom.

Bleeping Computer also reported on Thursday that RansomHub is behind the Halliburton attack, based on some indicators of compromise (IoCs).

RansomHub’s leak website does not mention Halliburton at the time of writing, which suggests that — if they are indeed behind the attack — the cybercriminals are still in negotiations with the company.

Halliburton has not made public any information beyond its initial statement and SEC filing. SecurityWeek has reached out to the company for confirmation that it was targeted by the RansomHub ransomware group and will update this article if the company responds.

The cybersecurity agency CISA, the FBI, the HHS and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on Thursday published a joint advisory detailing RansomHub attacks.

The advisory describes the tactics, techniques and procedures (TTPs) used in RansomHub attacks and shares IoCs that can be used to detect and prevent intrusions. 

According to the government agencies, the RansomHub operation has encrypted and exfiltrated data from at least 210 victims since its inception in February 2024. 

RansomHub’s Tor-based leak website currently lists 180 victims, but the US government is likely aware of additional victims. 

The government advisory mentions that RansomHub victims are from various critical infrastructure sectors, including water, IT, government services and facilities, healthcare, emergency services, financial services, food and agriculture, commercial facilities, critical manufacturing, communications, and transportation. 

The advisory, however, does not mention victims in the energy sector, which includes oil companies. This indicates that the timing of the advisory may not be related to the Halliburton attack.