Cyber Incident Victim: Pakistan Petroleum Limited

On August 6, 2025, Pakistan Petroleum Limited (PPL) detected a cybersecurity incident involving a ransomware intrusion targeting parts of its IT infrastructure. The attackers, operating under the alias “Blue Locker,” encrypted PPL’s servers and blocked access to backups. They demanded a ransom in exchange for a decryption tool and a promise not to leak sensitive data. The encrypted systems included virtual machines and financial servers, bringing the company’s entire financial system to a standstill. Operations were suspended for two days as a result of the encryption. The attackers claimed to have exfiltrated vital data related to operations, contracts, and employee information, including TMC Data (Sui, Adhi, etc.) and contracts. An email sent to PPL employees stated that computers and servers were encrypted, backups were deleted from the network and copied, and that any attempt to modify or recover files independently could result in permanent data loss. The email warned that if PPL did not contact the attackers with a quote, they would report the hack to mainstream media and release the data to social media and competitors. A ransomware note was also received from an external actor identifying themselves as “Proton.” PPL’s internal cybersecurity protocols were immediately activated upon detection.

PPL’s IT and cybersecurity teams, working with external experts, implemented prompt containment measures, including the temporary suspension of select non-critical IT services to limit potential impact and preserve system integrity. The company’s multi-layered cybersecurity framework helped rapidly isolate the threat. PPL stated that, at the time of the statement, there was no indication of compromise to business-critical or sensitive data. Core operational systems remained unaffected, and Joint Venture partners and external stakeholders continued to operate without disruption. The matter was reported to relevant law enforcement and regulatory authorities in accordance with best practices and legal guidelines, and investigations are ongoing in coordination with those agencies. PPL committed to full transparency and initiated a comprehensive forensic analysis to assess the scope of the incident and reinforce cyber resilience. Teams are working diligently to restore full system functionality in a secure and phased manner. The company emphasized its priority on safeguarding digital infrastructure and maintaining stakeholder trust through timely action and proactive cyber risk management.

The incident raised serious concerns about the cybersecurity resilience of critical national infrastructure, particularly in the energy sector. Attackers used encryption and threatened exposure while demanding direct negotiations, stating that intermediaries or cybersecurity consultants should not be involved. Sources indicated that PPL’s IT experts and management were in negotiations with the hackers, who had taken control of the IT system for the past two days, and that the administration had lost control over financial operations. The government and relevant authorities were fully informed about the situation, and a request had been made to those institutions to help restore PPL’s systems. Other oil and gas companies were alerted and warned to take immediate precautionary measures and necessary steps. Cybersecurity experts warned that such attacks could compromise national energy security and stressed the need for urgent investment in digital infrastructure and threat monitoring systems across state-owned enterprises.