Halliburton cyberattack explained: What happened?
Oil field services provider Halliburton reported on Aug. 23, 2024, that it was the victim of a cyberattack, adding another to the growing list of cyberincidents.
On Aug. 21, 2024, Halliburton discovered unauthorized access in its systems; however, the exact nature and type of attack have not been disclosed as of Aug. 26. As a result of the unauthorized activity, Halliburton took some of its systems offline to contain any potential impact.
This incident underscores the vulnerabilities in the energy sector, which is increasingly targeted by cybercriminals due to its critical infrastructure status.
One such attack in the past was the one against Colonial Pipeline in 2021. These attacks can have serious implications for global energy markets and may jeopardize national security by disrupting power sources, potentially disabling emergency services.
What is Halliburton?
Halliburton is one of the largest oil field services companies in the world.
Erle P. Halliburton established Halliburton in 1919. The company is headquartered in Houston, with global operations in over 70 countries. Halliburton provides a wide range of products and services to the energy industry, particularly focusing on oil and gas exploration and production.
Halliburton is integral to the U.S. and global energy sectors, providing essential services and technological innovations that support oil and gas production. Its operations are vital for maximizing the value of oil and gas reservoirs to meet global energy demands. The company's role in the energy sector has significant implications for national security, as it supports U.S. military operations and contributes to the stability of energy supplies.
What is the nature of the cyberattack?
There are few publicly disclosed details about the cyberattack as of Aug. 26, but this is what is currently known about the nature of the cyberattack.
On Aug. 21, 2024, Halliburton Company discovered that an unauthorized third party had accessed some of its systems. It is not clear how the unauthorized third party gained access. There is no formal disclosure regarding which specific systems were breached.
The unauthorized access was notable enough that it prompted Halliburton to file a Form 8-K with the U.S. Securities and Exchange Commission (SEC) on Aug. 23, 2024, as required by law, for publicly traded companies when significant events occur.
While the specific type of attack or the extent of the breach was not explicitly stated in the Form 8-K filing, the company's response suggests a significant security incident. Halliburton immediately activated its cybersecurity response plan upon discovering the intrusion, indicating that the company had preexisting protocols for such an event.
What was Halliburton's response plan for the cyberattack?
Halliburton took several actions in response to the cyberattack.
Part of Halliburton's response was to launch an internal investigation with the support of external advisors to assess and remediate the unauthorized activity. As a precautionary measure, certain systems were proactively taken offline to prevent further unauthorized access or potential damage.
Law enforcement was also notified of the incident, further suggesting the serious nature of the breach, even before full details were made public. The company's ongoing efforts include restoring the affected systems and assessing the incident's materiality, indicating the full extent of the impact was not yet known at the time of the filing on Aug. 23.
Halliburton's response extended beyond just technical measures. The company sent communications to its customers and other stakeholders. Additionally, Halliburton emphasized its adherence to process-based safety standards for ongoing operations under its Halliburton Management System, suggesting that the company was striving to maintain normal business operations despite the cybersecurity challenges.
It's important to note that Halliburton's response was partly driven by the need to comply with the U.S. Transportation Security Administration's (TSA) Security Directive Pipeline-2021-01D mandate. This mandate was originally drafted after the Colonial Pipeline incident and requires pipeline owners to report any cybersecurity incidents to TSA. The directive was renewed on May 29, 2024.
Who was affected and what was the impact?
The Halliburton cyberattack has had limited initial impact:
- Operational disruption. The cyberattack led Halliburton to take some systems offline to prevent further unauthorized access and to protect its infrastructure. This precautionary measure disrupted business operations, particularly at the company's North Houston operations.
- Global connectivity. The attack also impacted some of Halliburton's global connectivity networks, although the full extent of this disruption is still being assessed.
- Employee impact. Some employees were instructed not to connect to internal networks, which likely affected their ability to perform certain tasks.
- Energy services. Despite the attack, the U.S. Department of Energy (DOE) has reported no significant impact on energy services, indicating that critical operations have remained largely unaffected.
Timeline of attack
- Aug. 21, 2024
- Halliburton detected unauthorized access to its systems, identifying it as a cyberattack.
- As part of the response, Halliburton took certain systems offline to contain the breach and prevent further unauthorized access. The company began working with cybersecurity experts to investigate the incident.
- Aug. 22, 2024
- Halliburton continued its investigation into the breach, collaborating with cybersecurity experts to assess the scope and impact of the attack. The company also started coordinating with law enforcement agencies to address the incident.
- Aug. 23, 2024
- Halliburton publicly confirmed the cyberattack in a filing with the SEC. The company stated that it was focused on restoring affected systems and assessing the potential impact on its operations.
- DOE reported that the cyberattack had not impacted energy services.
Who was responsible for the attack?
The identity of the perpetrators behind the cyberattack on Halliburton remains unknown. Halliburton has acknowledged that an unauthorized third party accessed its systems, but specific details about who was responsible or their motivations have not been disclosed.
A group has not publicly claimed responsibility for the attack, and Halliburton has not provided any information suggesting the involvement of a specific group or individual.
While there is often speculation in such cases about the possibility of ransomware involvement, Halliburton has not confirmed any details regarding the nature of the attack, including whether a ransom was demanded.
How does this compare to the Colonial Pipeline attack?
The attack on Halliburton is not the first time the energy sector has been the victim of a cyberattack. In 2021, Colonial Pipeline was the victim of a cyberattack that had a wide-ranging impact on the energy sector in the U.S.
While the Colonial Pipeline attack in 2021 had an immediate and severe impact on fuel supply across the Eastern United States, the Halliburton attack in 2024 primarily disrupted internal operations without affecting energy services. Both incidents highlight the critical need for cybersecurity measures to protect essential infrastructure.
Aspect | Halliburton (2024) | Colonial Pipeline (2021) |
Date of attack | Discovered on Aug. 21, 2024 | May 7, 2021 |
Nature of attack | Unauthorized access to systems; specific details not disclosed | Ransomware attack involving data encryption and exfiltration |
Intruder group | Unknown | DarkSide |
Impact on operations | Disruptions at the Houston headquarters; affected some global connectivity networks | The complete shutdown of pipeline operations; caused widespread fuel shortages |
Impact on energy services | No impact reported on energy production or supply | Significant impact, leading to fuel shortages and emergency declarations |
Ransom paid | Not disclosed | $4.4 million paid to attackers |
Duration of downtime | Ongoing investigation; systems taken offline as a precaution | 6 days for initial restoration; weeks for full recovery |
Response measures | Activated cybersecurity response plan, collaborating with law enforcement and experts | Paid ransom to receive decryption tool; relied on backups for restoration |
Broader implications | Highlights vulnerabilities in the energy sector; emphasizes the need for enhanced cybersecurity | Demonstrated potential for national energy crises due to cyberattacks |
Public disclosure | Confirmed via SEC filing; ongoing investigation | Widely publicized; prompted increased focus on cybersecurity policies |
What can organizations learn from this attack?
The Halliburton cyberattack highlights energy industry vulnerabilities and the importance of implementing strong cybersecurity measures. This incident is another critical reminder for organizations to upgrade and strengthen their defenses against increasingly complex cyberthreats.
Here are some best practices that organizations can implement to limit cyberattack risk:
- Implement a zero-trust security strategy. By ensuring that each access request is validated, zero-trust architecture lowers the possibility of unwanted access.
- Harden authentication and access controls. All users should employ multifactor authentication, especially those with access to vital systems.
- Conduct risk evaluations. Regular cybersecurity risk assessments are essential for identifying and addressing vulnerabilities to prevent and reduce security incidents.
- Monitor threat detection. Advanced threat detection tools that continuously monitor network activity can quickly identify irregularities.
- Conduct security training and awareness. Ensure employees understand current threats and best practices for mitigating them with regular education via a cybersecurity awareness training program.
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.