(Bloomberg) — A ransomware attack that hit Mexico’s Petroleos Mexicanos is disrupting the company’s billing systems, according to people familiar with the situation.
Pemex is relying on manual billing that could affect payment of personnel and suppliers and hinder supply chain operations, the people said, asking not to be identified because they aren’t authorized to speak to the press.
Invoices for fuel to be delivered from Pemex’s storage terminals to gasoline stations were being done manually on Tuesday. At the company’s refining arm, some employees couldn’t access emails or the internet on Tuesday and computers were operating more slowly. If the situation isn’t resolved by Wednesday, it could affect Pemex’s ability to to pay personnel and some suppliers, one of the people said.
Pemex said in a Twitter post Tuesday that fuel storage terminals were operating regularly, and gasoline supply was “guaranteed.” That followed a statement on its website late Monday that operations were normal, after it was subjected to cyber attacks Nov. 10 that affected less than 5% of personal computing devices. There are indications that that the malware deployed against Pemex may be DoppelPaymer, according to cybersecurity firm Crowdstrike Inc.
Pemex’s ransomware attack — in which systems are frozen by hackers until a ransom is paid — is the latest cyber incursion to hit the commodities industry. Payment problems could disrupt a supply chain that stretches across fuel retailers, global trading companies, oil industry servicers and trucking firms.
Earlier this year, Norsk Hydro ASA was hit, following previous attacks on companies from zinc smelter Nyrstar NV to oil giants Saudi Aramco and Rosneft PJSC, shipping company AP Moller-Maersk A/S and agriculture trader Archer-Daniels-Midland Co.
The blow comes as Pemex seeks to reduce its debt, now the highest of any oil company, and reverse 14 years of production declines. Pemex’s efforts to balance its books at times conflicts with the need to finance the nation’s budget, which relies on the company for nearly a fifth of its revenue. A fresh downgrade of its bonds looms as the company has failed to deliver a viable strategy to reverse output declines and replenish reserves.
In Villahermosa, Tabasco, employees involved in well-drilling services were told Tuesday they could start their computers, but not log on to the network, another person said. Telephone lines aren’t working, and there’s no access to the company network, corporate emails or Skype.
Staff payments may have to be done by telephone, said another person. In Pemex’s finance department, external emails weren’t coming through, affecting daily payments, people said.
Disruptive technologies have been a double-edged sword in the global oil industry. As oil companies seek to improve efficiency and worker safety by increasingly digitizing their operations, they face unprecedented security risks through ever-more sophisticated cyber attacks.
An internal message Monday indicated that the systems were infected by the Ryuk malware, according to a person familiar.
However, Crowdstrike Inc. has some indication that the malware may be DoppelPaymer, a form of ransomware that the firm first saw deployed in June attacks, according to Adam Meyers, the company’s Vice President of Intelligence.
DoppelPaymer attacks are typically executed against “high value targets” — such as a health care organization, school district, or printing press — and executed at at a time when they “need to be up an running” and may therefore feel compelled to pay a ransom, which is typically valued in the hundred of thousands or millions of dollars range, Meyers said.
Meyers found a sample of DoppelPaymer on a malware-sharing repository that contained an embedded payment portal requesting 565 , which is roughly equivalent to $4.8 million. The payment portal was addressed to Pemex, which led Meyers to make the connection between DoppelPaymer and the recent attack.
DoppelPaymer attacks tend to be “financially criminal in nature,” according to Meyers. The hackers responsible typically move laterally, deploying ransomware across victim organizations so that they are “out of business” until they pay the ransom or else take the expensive step of restoring data from backups.
(Updates with comment from cybersecurity analyst starting in 12th paragraph)