Cyber Incident Victim: Sonatrach
Date:
Apr 2020
Location:
Algeria
Summary
A major oil firm suffered a ransomware attack by the Maze group, resulting in the theft and public leak of over 500MB of sensitive corporate data. The compromised information included financial records, strategic production targets, internal budgets, employee contact details, and travel documents, exposing critical operational and personnel information. Attackers employed double-extortion tactics, threatening further disclosures to pressure the victim, mirroring their previous high-profile intrusions against other multinational entities. The incident highlighted the group's pattern of exfiltrating data before encryption and leveraging its release to coerce payments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 1, 2020, the Maze ransomware group executed a cyberattack against Berkine, an entity affiliated with the Algerian state-owned energy company Sonatrach. The attackers successfully exfiltrated over 500MB of confidential corporate data before encrypting systems, adhering to their dual-extortion methodology. The stolen database contained sensitive operational documents, including detailed budgets, organizational strategies for 2020, production quantity records, and investment plans. Specific financial metrics such as Berkine's cost price per barrel and budget allocations for missions overseen by its owners were compromised. Employee records including contact information and travel documents were also extracted. Under the Breach, a cybersecurity monitoring service, confirmed the authenticity of the leaked materials, which Maze subsequently published online to pressure the victim. The disclosure exposed strategic operational details that could undermine Sonatrach's competitive positioning in oil markets.
The incident highlighted Maze's evolving tactics, previously documented by the French National Agency for Security of Information Systems (ANSSI) following their January 2020 attack on a Bouygues subsidiary. ANSSI analysis confirmed the group systematically exfiltrates data prior to encryption, maintaining leverage through threats of incremental leaks. In this case, Maze weaponized the stolen Berkine data by disseminating it through hacker forums, enabling potential phishing campaigns against employees and partners. The group's operational pattern involved setting ransom payment deadlines and progressively releasing sensitive materials when demands were unmet. No information regarding Berkine's payment decisions or incident response measures was disclosed in available sources. The breach exposed financial and strategic vulnerabilities within Sonatrach's subsidiary operations while demonstrating Maze's continued refinement of extortion techniques against critical infrastructure targets.