MEXICO CITY/NEW YORK/WASHINGTON – The hacker behind a cyberattack that has crippled the Petroleos Mexicanos computer systems since the weekend is hoping to squeeze about $5 million out of the company and appears to have set a deadline of Nov. 30.
Pemex has other ideas, saying it won’t pay the ransom and hopes to solve the cyberattack problem today, according to comments made by Mexico energy minister Rocio Nahle on Wednesday.
Those comments were the latest in an unfolding drama that has pitted the Mexican oil giant against an unknown hacker who uses the name “Joseph Atkins” in an email address — almost surely a pseudonym. Responding to an email from Bloomberg News, the person declined to comment about Pemex until Nov. 30, the end of a three week deadline.
The person also said his group’s hacks aren’t limited to the oil sector and suggested they were responsible for a previous cyberattack on Roadrunner Transportation Systems Inc., a truck freight transportation services company based in Wisconsin. “They did not pay and recovered themselves, and left us GB’s of their data,” the person said, in broken English.
The email address was obtained from a message to a Pemex employee requesting the ransom money, which was viewed by Bloomberg News. “The faster you get in contact, the lower price you can expect,” it said.
Pemex declined comment on whether the hackers imposed a deadline. The company said in a statement earlier this week that operations were normal after it was subjected to cyberattacks Nov. 10 that affected less than 5 percent of personal computing devices.
The cyberattack highlights the growing epidemic of attacks against global companies that turn their own vulnerable IT systems against them — in this case by hijacking data they need to function. While some companies resist, others quietly pay, often on advice of security experts, fueling further attacks.
In this case, the hackers have also struck at a potent symbol of Mexican national pride that has fallen on hard times. Pemex, once a driving force of the country’s economic health, faces almost 15 years of output declines. In one recent sign of the oil giant’s vulnerability, Fitch Ratings Inc. in June cut Pemex’s bond rating to junk.
“There has to be some changes if they want to keep the market calm after these attacks,” said Mario Ahumada, a senior analyst of energy and infrastructure for risk consultancy EMPRA in Mexico City.
Roadrunner didn’t immediately respond to a request for comment.
The company has previously disclosed that its systems were breached in 2018. In a letter addressed to the New Hampshire attorney general, Roadrunner’s lawyer said a hacker had gained access to Workday, the company’s HR management platform, by sending phishing emails to its employees. Workday contained the private information of Roadrunner employees, including their name, address, Social Security number and payroll information. Roadrunner offered free credit monitoring to its employees as a result of the hack.
In a letter to its affected employees, Roadrunner said that the hacker modified the direct deposit information of some of its employees, but detected the changes before any funds had been transferred.
It wasn’t clear if the 2018 breach at Roadrunner was the same one referenced by the person claiming to be involved in the Pemex hack.
On Wednesday, some Pemex employees were still locked out of their computers and told not to log on to the company’s Wi-Fi network, according to two people familiar with the situation. Pemex personnel have been busy since Tuesday wiping infected computers and installing software patches, said one of the people.
Pemex is relying on manual billing that could affect payment of personnel and suppliers and hinder supply- chain operations, the people said, asking not to be identified because they aren’t authorized to speak to the press. Invoices for fuel to be delivered from Pemex’s storage terminals to gasoline stations are being written by hand, and Pemex employees fear that if the problem isn’t resolved they won’t get paid on Nov. 27, when their next paycheck is due.
Neither Pemex nor Mexican authorities have identified the type of malware used in the attack. However, there are indications that it may be a strain known as DoppelPaymer, according to cybersecurity firm Crowdstrike Inc. The firm first saw DoppelPaymer deployed in June attacks, according to Adam Meyers, the company’s vice president of intelligence. Crowdstrike had previously connected the Joseph Atkins email to DoppelPaymer attacks.
The cybersecurity company Coveware, Inc. also connected the attack to DoppelPaymer after reviewing the ransom note and the email associated with it, which was posted online, according to Bill Siegel, the chief executive officer and co-founder. He said that the “scope and nature” of the attack is consistent with DoppelPaymer attacks, which typically target large enterprises.
Meyers said that DoppelPaymer attacks are typically executed against “high-value targets” — such as a health care organization, school district, or printing press — and executed at at a time when they “need to be up an running” and may therefore feel compelled to pay a ransom, which is typically valued in the hundred of thousands or millions of dollars range.
Meyers found a sample of DoppelPaymer on a malware-sharing repository that contained an embedded payment portal requesting 565 bitcoin, which is roughly equivalent to $4.8 million. The payment portal was addressed to Pemex, which led Meyers to make the connection between DoppelPaymer and the recent attack.
DoppelPaymer attacks tend to be “financially criminal in nature,” according to Meyers. The hackers responsible typically move laterally, deploying ransomware across victim organizations so that they are “out of business” until they pay the ransom or else take the expensive step of restoring data from backups.
Pemex’s ransomware attack — in which systems are frozen by hackers until a ransom is paid — is the latest cybersecurity incursion to hit the commodities industry. Payment problems could disrupt a supply chain that stretches across fuel retailers, global trading companies, oil industry servicers and trucking firms.