Halliburton Cyberattack Shows Pattern of Critical Infrastructure Disruption

Halliburton, a big player in the oil and energy sector, is one of the latest high-profile companies to report a cyberattack. After last Wednesday’s revelation of the incident, details on the attack remain relatively sparse. Halliburton filed an 8-K with the US Securities and Exchange Commission (SEC), acknowledging that an unauthorized third party accessed some of its systems.  

“We are aware of an issue affecting certain company systems and are working diligently to assess the cause and potential impact. We have activated our preplanned response plan and are working internally, and with leading external experts, to remediate the issue,” a Halliburton spokesperson told InformationWeek via email.  

What could this cyberattack indicate as critical infrastructure continues to be a target? 

Taking Systems Offline 

As a part of its response, Halliburton took certain systems offline, according to the 8-K.  

“Taking systems offline is, to me, one of the last-resort kind of things you do. It's not what you do upfront,” Jim Doggett, CISO at Semperis, an active directory protection company, tells InformationWeek. “Your first goal is isolate it, minimize it, try to keep operations going as much as you can. When you start pulling systems offline, that means that you don't understand everything [that] is going on, and the bad guy’s likely in there.” 

Related:5 Things We Must Do to Combat AI-Powered Cyberattacks

Shutting down systems, while disruptive to operations, is not uncommon. In the past year, approximately 70% of industrial organizations have been hit with a cyberattack. A quarter of those organizations had to shut down their OT operations, according to The State of OT Security report from cybersecurity company Palo Alto Networks.  

Exactly what systems Halliburton shut down and the resulting disruption for the company and its customers is not yet clear. The company “… is working to identify any effects of the incident.” 

John Terrill, CISO at Phosphorus, an xIoT cybersecurity solutions company, anticipates that these kinds of temporary system outages will likely be more common as companies continue to respond to cyberattacks. “You can't bring people back into an infected battlefield. You've got to have a clean place to rebuild from,” he says. “I think that's just par for the course now.” 

Potential Motivations  

Halliburton has not confirmed the exact nature of the attack, but ransomware is among the possibilities. Critical infrastructure entities have been hit with ransomware in the past. The Colonial Pipeline, for example, was hit with a disruptive ransomware attack in 2021. Critical infrastructure entities like hospitals and water stations have also been targeted by ransomware groups.  

Related:CDK Global Cyberattacks: What Can CIOs Learn About Single Points of Failure?

Halliburton could make an attractive target for threat actors motivated purely by financial gain. The company reported $5.8 billion in revenue for the second quarter of this year.  

Threat actors may be motivated not only by money, but also by information. “There's a bunch of stuff that is probably core to Halliburton’s business that might be interesting from an espionage standpoint,” says Terrill.  

Determining whether any data was exfiltrated will likely be a part of Halliburton’s investigation. Threat actors may or may not inform victims when they take data. Ransomware groups told just 57% of victims about data exfiltration, according to Arctic Wolf’s The State of Cybersecurity: 2024 Trends report.  

As a major player in the energy industry, Halliburton could be the target of nation state activity. “It's not a surprise to see critical infrastructure being attacked around this time. Before the 2020 election, we saw coordinated nation state attacks against critical infrastructure,” Mark Manglicmot, senior vice president of security services at cybersecurity company Arctic Wolf, points out.  

Related:Repeat Offenders: Black Basta’s Latest Healthcare Cyberattack

An attack like this could signal that threat actors are probing to see how much potential damage could be done in the oil and energy sector. Or they could be attempting to erode trust in US critical infrastructure operations.  

But Terrill suspects that this attack was likely more opportunistic in nature. “If you were a nation state, you'd be doing a lot more to try to disguise yourself,” he says.  

It is unsurprising that Halliburton is remaining relatively tight-lipped as it works through its incident response and investigation.  

“I would say Halliburton probably did a pretty good job. They haven't tried to speculate and send out information which gets you into trouble. They seem to have acted fairly quickly and in a logical way,” says Doggett.  

Critical Infrastructure as a Target 

Critical infrastructure as a target is nothing new, but Halliburton is a big name.  

“This should be a signal flare to other organizations that if a company of Halliburton’s stature can suffer an attack then [you] need to make sure you're doing everything you can to minimize both the probability of [an attack] being successful and then in the eventuality that it does happen, reducing the impact,” says Manglicmot.  

The call for cyber resilience has been a steady drum beat in the critical infrastructure space. FBI Director Christopher Wray has called for public and private collaboration to respond to these ongoing threats. The Cybersecurity and Infrastructure Security Agency (CISA) offers guidance on security and resilience for critical infrastructure organizations.  

There is pressure on critical infrastructure organizations to ramp up their cybersecurity measures, but Doggett emphasizes that those efforts need to be ongoing and practiced. “Are you actually going through the effort of an exercise to say, ‘This has been hit?’ How do we make decisions more quickly? How do we know who makes the decisions? How do we know we communicate to the outside world?” 

Regardless of the motivation, nation state-directed or purely financial, critical infrastructure will continue to be a target. The more prepared organizations are to respond and continue operations, the more likely they will be able to contain the impact.