Halliburton and RansomHub: Energy Sector OT Risk Goes Public

Threat Intelligence

RansomHub's August 2024 attack on Halliburton disrupted oilfield services billing and operations. The OT-adjacent exposure pattern is becoming a sector default.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 15, 2024 · 8 min read

On August 21, 2024, Halliburton, the world's second-largest oilfield services company, filed an 8-K acknowledging a cybersecurity incident affecting access to certain systems. The attribution to RansomHub came quickly. The company took portions of its IT environment offline as a precaution, and the operational impact stretched into late August across billing, work-order management, and the systems that orchestrate field services on customer sites. Halliburton itself was the victim, but the downstream effect on oil and gas operators that depend on Halliburton for completions, drilling, and well services was the larger story.

Timeline

Initial reporting indicates RansomHub gained access in early-to-mid August. The detonation was on August 21. Halliburton disclosed the same day in its 8-K, a fast cadence by historical standards driven in part by the SEC's 2023 cybersecurity disclosure rule. Operational recovery stretched through late August and into September. The estimated financial impact disclosed in the 10-Q for Q3 2024 was approximately $35 million, with continued residual costs across customer relationship management, manual workarounds, and IT rebuild.

Root cause: the public details are thin

Halliburton has not published a detailed post-mortem and is unlikely to. RansomHub's general TTPs in 2024 included initial access via stolen VPN credentials and remote services, vulnerable internet-facing applications (especially unpatched Citrix and Fortinet boxes), and occasionally social engineering of IT helpdesk staff for MFA bypass. Any of these is consistent with the Halliburton timeline. What we do know is that the impact mode was IT systems being taken offline preemptively, suggesting Halliburton chose containment over continuity, which is the correct call for a ransomware response.

Attacker actions and OT-adjacency

Halliburton has been careful to say the incident did not affect its OT or operational field equipment. That is plausible. RansomHub generally does not pivot into OT; the affiliate model rewards encryption of business-critical IT, not industrial controls. But the OT-adjacent risk is real. Halliburton's IT systems orchestrate fleet movements, supply, well design data, and personnel deployment to drill sites. Even with OT isolated, IT-layer disruption can stop or delay operations that depend on IT for scheduling and data flow.

Detection and the energy-sector threat model

Detection at the vendor level was not the failure here; containment moved fast. The detection question for the energy sector is whether operators who depend on Halliburton have visibility into vendor incidents that affect their operations. Most operators do not. They learn about vendor outages from missed services or from public 8-Ks. That latency is no longer acceptable for any service that touches well operations.

RansomHub TTPs worth catching

RansomHub absorbed a large share of former ALPHV affiliates after BlackCat's March 2024 exit scam and became the busiest ransomware brand of the second half of 2024. CISA's joint advisory (AA24-242A) catalogs the affiliate playbook: initial access through known CVE exploitation (CVE-2023-3519 Citrix, CVE-2023-27997 Fortinet, ZeroLogon), use of legitimate remote tools like AnyDesk and Atera for persistence, network reconnaissance with PCHunter and Advanced IP Scanner, and SystemBC or PuTTY for tunneling. Encryption uses an x25519-based custom payload. None of this is novel, and all of it is detectable with disciplined endpoint and network monitoring.

Lessons

Energy is a target-rich sector with concentrated vendor exposure. The defensive lesson is not specific to Halliburton: it is that every major oil and gas operator should have a written assumption about what happens when a tier-one service vendor goes offline for two weeks. That document should cover billing, scheduling, data exchange, regulatory reporting, and customer communications. The companies that already had those plans on August 21, 2024 had a much smoother week than the ones who built them on the fly.

The BIPI take

Energy-sector ransomware in 2024 is now mostly IT-layer ransomware with operational spillover. The right defensive frame is not 'protect OT' (a goal you should already have) but 'assume any vendor with IT integration into your operations will eventually have a bad week'. Build the continuity plan for that week before someone else's 8-K becomes your fire drill.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.