Cyber Incident Victim: PetroVietnam
Date:
Mar 2023
Location:
Viet Nam
Summary
A cyber incident involving Vietnam's state-owned petroleum corporation and affiliated infrastructure firms resulted in unauthorized disclosure of sensitive data, including infrastructure schematics, piping diagrams, business registration documents, employee information, and contractual agreements. The leak was publicly released without ransom demands by a BreachForums user known as Kernelware, who cited disinterest in financial extortion and previously distributed data from other entities including a Taiwanese electronics manufacturer, an Indian financial subsidiary, and a Swiss tech firm. The actor acknowledged minor errors in attributing some leaks and announced a temporary hiatus from leaking activities due to academic obligations. Forensic analysis indicated shared project documents among the impacted Vietnamese organizations, though the initial intrusion vector remains unspecified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 14, 2023, a BreachForums user known as Kernelware publicly posted a data leak involving Vietnam’s state-owned oil and gas group PetroVietnam and two affiliated firms, Long Son Petrochemicals and POSCO Engineering & Construction. The announcement included multiple smaller companies linked to the same project. Kernelware’s post listed extensive compromised data, such as infrastructure and piping schematics, business registration documents, employee information, and contractual agreements. The method of data acquisition remained undisclosed, as Kernelware declined to elaborate on access techniques but confirmed no ransom demands or prior contact with the affected organizations. A review of sample files indicated some documents bore markings from all three primary entities, suggesting shared project involvement, though it was unclear whether the data originated from a single breached server or multiple sources. PetroVietnam did not respond immediately to DataBreaches.net’s request for comment regarding the incident.
The leak exposed highly sensitive industrial specifications and corporate records, creating potential risks for operational security and employee privacy. Kernelware, active on BreachForums since August 2022, had recently circulated other datasets, including Acer Taiwan data for sale and unverified HDFC Bank (later corrected to HDB Financial Services) records. The actor publicly acknowledged the HDFC misattribution, revising their claim. Days before the PetroVietnam leak, Kernelware released 21 GB of Acronis customer data, which the company attributed to compromised credentials from a single client account. Kernelware framed the Acronis breach as inconsequential but deliberate, citing boredom as motivation. The PetroVietnam disclosure concluded with a notice of their temporary hiatus from leaks due to upcoming exams, signaling a pause in activity but no cessation of broader intent.