Approved for public release; distribution is unlimited, with attribution.

Incident assessment and analysis of 2019 Petróleos

Mexicanos (PEMEX) cybersecurity breach.

César Omar Cisneros Melgoza

cesar.cisnerosma@udlap.mx
www.linkedin.com/in/ccisnerosm

"Intelligence analysts should be self-conscious about their rea-

soning process. They should think about how they make judg-
ments and reach conclusions, not just about the judgments and
conclusions themselves."

Richards J. HeuerJr. [1]

1 ABSTRACT

Latin America is often considered a target for cybercriminals. It is

essential to highlight that México lacks sufficient cybersecurity culture;
as El Universal mentions, there are mainly two reasons which positions
México as a highly targeted country in terms of cybersecurity, its close-
ness to the United States and the belief that cyber-incidents will not hap-
pen in people's organizations[2]; thus México has ranked as the second
most attacked country in terms of cybersecurity in 2020 according to ex-
pansion[3].

This paper presents an analysis of the 2019 PEMEX secu-

rity breach; it will depict information from 4 different approaches Adver-
sary and the Victim, Capabilities, and Infrastructure; it also addresses the
issue from a political view.
2 ATTACK ANALYSIS

On November 10, 2019, the governmental company Petróleos Mexicanos,

the biggest supplier of fuels in México, suffered a ransomware attack which
forced the company to stop their operations and freeze several systems across
the country; as El universal states, the ransom note that appeared pointed to a
darknet website and demanded a substantial amount of money in bitcoins.

2.1 The Victim

2.1.1 Pemex Persona

Pemex is the most important Mexican company "responsible for the gener-
ation of 2.5 million barrels of oil daily and more than 6 million cubic feet of natural gas"
(Pemex, 2015). Pemex's operations are distributed nationwide, which is the first
reason it is an exciting target for hackers. Pemex's infrastructure is massive in the
country; it includes but is not limited to refineries, eight complexes, maritime
terminals, among others. With which they serve more than 10,000 service stations
in the country [4]; according to Moody’s, in 2019, Pemex obtained US$74.4 billion
in revenue and accumulated $100.3 billion in assets [5].

2.1.2 Pemex Assets

Evidence is found that a wide range of possible attack surfaces exists; in the
big picture, there are:

 Six refineries.
 Eight petrochemical complexes.
 Nine gas processing complexes.
 83 maritime terminals.
 30 oil wells.
 300 platforms.
 Four complexes of active exploration.
 Fifteen complexes of active production.
 Nationwide oil and gas pipelines.
 10,000 service stations.
 Pemex Executive Tower in México city.

César Omar Cisneros M. 2

 At a specific level, we found these systems, which if left unprotected, could
cause significant vulnerability:

 SCADA primary control at central offices.

 Cloud Servers at their VPC [8].
 Huawei 7950, 7910 & 8950 VoIP devices [8].
 Huawei AR2220E enterprise routers [8].
 Huawei Core Switches S12708 [8].
 Huawei Access switches (S5720) [8].
 Huawei Central Routers (NE40E-X8) [8].
 Huawei Smart Small Data Center's FusionModule800[8].
 Domain Name and email usage @pemex.com
 Social media account Facebook: https://www.facebook.com/Pemex/
 Social media account Twitter: @Pemex
 Employees computers.

The attacked assets, where 5% of the total employee's computers, payment-

related systems. The CEO of Pemex is Octavio Romero Oropeza, and this com-
pany is under the Mexican government's command.

2.1.3 Adversary-Victim relationship

Adversary
According to Reuters, Pemex detected the at-
tack on Sunday, 10, 2019. [9] To address a more precise
attack description, the news source, "El Financiero."
Provided extra information related to the event, so it
is possible to understand this security incident as a
Victim
three-phased event as follows:

 Phase 1 Reconnaissance: In this part, the attack vector was malicious entry
points detected by the Adversary.
 Phase 2 Delivery and access gain: FireEye determined that the initial infec-
tion was generated by the delivery of Dridex trojan, with which the Adver-
sary gained access to the victim network [11].
 Phase 3 Infection and lateral movements: In the Pemex official version, Ad-
versary executed Ryuk ransomware, Stated and analyzed by Reuters, the

César Omar Cisneros M. 3

 ransomware was an execution of DoppelPaymer ransomware, detailed ex-
plained later [9].

As a result, the ransomware infected 5% of the company computers, so it is

considered a partial success by this document's effect; it compromised the avail-
ability of critical infrastructure, affected the information confidentiality, and the
Adversary was able to ask for a ransom.
Considered an Adversary–Victim attack, a company employee, received a spear-
phishing attack with a trojan (Software Resource Meta-Feature).

2.2 The Adversary

Adversary Customer: Presumably, the attack was carried out by former members
of TA505, that crafted their version of BitPaymer, namely DoppelPaymer.[11]

Adversary Operator: The ransom message pointed directly to an individual who

named himself most probably as an alias Joseph Atkins. [11]

2.3 The Capabilities

2.3.1 Adversary Arsenal

Capability Capacity

Gaining Unauthorized Access to private Usage of Social Engineering as a mechanism to

systems deceive users.

Back Door opening by Dridex Trojan.

Encryption of network devices Ransomware insertion and execution (Ryuk /

DoppelPaymer).

Lateral movement capacity and monitoring

trough Command & Control (C2) execution
[12].

Credential Harvesting Input Capture (Keylogging).

Table 1 Adversary Capability Capacity

César Omar Cisneros M. 4

2.4 The Infrastructure

To deliver and maintain control of the capabilities mentioned in "2.3.1," it

was necessary to rely on different infrastructure elements, mainly in type 2 in-
frastructure, such as darknet SMTP servers used to obfuscate the origin and at-
tribution of the activity.

2.4.1 Technology meta-feature between capability – infrastructure

Capability Capacity Infrastructure /

Technology

Gaining Unauthorized Access Usage of Social Engineering as a SMTP darknet server.

to private systems mechanism to deceive users.

Back Door opening by Dridex

RDP access.
Trojan.

Encryption of network devices Ransomware insertion and Internet Protocol (Ip).

execution (Ryuk /
DoppelPaymer).
Lateral movement capacity and
monitoring trough Command &
Control (C2) execution [12].
Transport Control
Protocol (TCP) network
reconnaissance (Netstat,
local routing table, Pw.
Shell, to mention some).

Credential Harvesting Input Capture (Keylogging).

3 POLICY ASSESSMENT

Several attacks have been deployed in México to the public and private
sectors; it is necessary to depict how big this issue is since the ransomware attack
has increased worldwide. México has ranked as the second most attacked coun-
try in terms of cybersecurity in 2020, according to expansion [3]. With costs of
USD 7,000 in 2017 and increasing, according to Telmex [13]. México government
is walking towards standardization and protection of digital assets by creating

César Omar Cisneros M. 5

the Permanent Cybersecurity Commission and the National Center of Cyber-
security written and shown in the México National Cybersecurity Strategy [14].

The Mexican government should cover this issue at a national level.

At a lower level, organizations will not be able to do anything against

cybercriminals but defend themselves. So, this problem should be one of the first
addressed in the national cybersecurity strategy, specifically in the transverse
axis number one, which is related to a cybersecurity culture.

México must establish a cybersecurity reference framework to regulate

government institutions. A document should exist that must be holistic and ap-
plicable to all industry sectors; this document should have written the main strat-
egies to enable protection against ransomware, among other threads, that this
document will not cover.

México Permanent Cybersecurity Commission must be responsible for

spreading relevant information related to a cybersecurity culture. In terms of
ransomware, the Commission must invite individuals, public and private organ-
izations to follow the regulations written in the proposed at this paper Mexican
Cybersecurity Reference Framework, which has to be deployed by the Perma-
nent Cybersecurity Commission and the National Center of Cybersecurity.

3.1 Document Samples

To combat or decrease ransomware in the country, Mexican Framework

must include relevant countermeasures that could be added in amendments like:

SectionNumber

SectionNumber.SubSubsectionNumber Data Availability Increas-

ing Methodology

This section describes rules and policies to improve and en-

sure data availability. Due that privacy and security are strictly
related, organizations must ensure the follow-up of 4 countermeas-
ures:

Risk Reduction: Companies should not deploy critical infra-

structure on Windows Operative Systems.

César Omar Cisneros M. 6

 Privileges and Roles: At an organizational level, it is nec-
essary to ensure the owner has granted no administrative rights to
any user. The company must successfully prove the existence of a
role and privileges granting table, which should be aligned as much
as possible to the least privilege form.

Communications and limitations: Communications between LAN &

WAN servers must be regulated by internal and external independent
firewalls, allowing only specific servers to communicate between
them and blocking unnecessary ports and communications between un-
related appliances.

Backup & Restore: Organizations must provide a comprehensive

disaster recovery plan, which must be regulated by a business con-
tinuity plan, in which information backup & restore should be ad-
dressed and adequately covered, explaining and proving how
information could is recovered after the event has happened, the
organization must provide safe restoration points at any time.

The document has stated how the government must push different eco-
nomic sectors to prevent information thievery. Still, it is essential to mention a
key aspect, and it is the inter-governments detection and response. Deploying a
framework and a commission by itself is not enough because the framework
could only provide best practices to different companies; the inter-government
relation must be supported by a cybersecurity law, which describes the penalties
and sanctions given to a threat actor. Understanding the nature of the internet
will happen that most of the time, the cybercriminals will not be located in
México. Still, the failure to produce or address sanctions for cybercrimes will ex-
pose México as a paradise for the criminals to live caused by the lack of capacity
to determine proper sanctions to infractors.

3.2 Cooperation & Communication as a Detection Tool

There is no law in México that authorities companies to share information

about their security breaches; unfortunately, the idea that sharing breaches in-
formation to the world could impact brand perception prompts several compa-
nies do not reveal information about the attacks suffered.

César Omar Cisneros M. 7

 Even when companies in México would like to share information re-
trieved and data, there is no central regulation point led by any neutral organi-
zation. The transversal axis number 8, "Metrics and Follow up" should be
amended by the following extract:

By Striking:

The collaboration of actors to develop a methodology that allows

constructing a national diagnosis of risks and threats in cyber-
space. [14]

The establishment of centralized statistics related to implementa-

tion and the impact of cybersecurity and the Strategy on economic,
political, and social sectors [14]

And adding:

Mexican National Center of Cybersecurity regulates and coordinates

the exchange of information related to diagnostics, risk, and
threats between organizations, providing an available, public, non-
repudiable centralized database that is incremental and consultable
by the private and public sector aiming to improve cybersecurity
threats mitigation tactics by organizations and individuals.

4 CONCLUSION

Vulnerabilities do not exclude between individuals, the public, and pri-

vate sectors; it is necessary to improve communication and cooperation between
different parties. The nature of the internet provides a considerable disadvantage
for independent security actors; this document concludes that government/com-
mission must address this risk at a national level, with the creation of specific
committees that provide a precise cybersecurity strategy that ensures inter-gov-
ernment relationships to afford cooperation, supported by a cybersecurity law
that renders sanctions to cybercriminals. In the first part, this document ana-
lyzed four different elements that are important to understand to defend against
intruders; these elements are Victim and Adversary, which are related between
them by specific meta-features, also Infrastructure and Capabilities that in con-
junction could help to understand how to approach and fix a problem of this
kind.

César Omar Cisneros M. 8

 Note: This document reflects the opinion of the author and does not rep-
resent any third party.

References.
 [1] Richards J. Heuer Jr. Psychology of Intelligence Analysis. Central Intelligence Agency,
1999.
 [2] El Universal. (2018, November 07). México, principal objetivo de ciberataques en Latinoamé-
rica. Retrieved November 18, 2020, from https://www.eluniversal.com.mx/ciencia-y-
salud/tecnologia/mexico-principal-objetivo-de-ciberataques-en-latinoamerica
 [3] Chávez, G. (2020, September 30). México es el segundo país en América Latina con más ne-
gocios hackeados. Retrieved November 29, 2020, from https://expansion.mx/tecnolo-
gia/2020/09/30/mexico-es-el-segundo-pais-en-america-latina-con-mas-negocios-hackeados
 [4] Pemex. (2018). Petróleos Mexicanos. Retrieved November 26, 2020, from https://www.pe-
mex.com/en/about-pemex/Paginas/default.aspx

 [5] Moody´s. (2020). Petróleos Mexicanos. Credit Opinion.

 [6] Caltagirone, S., & Pendergast, A. (n.d.). The Diamond Model of Intrusion Analysis.

 [7] Pemex. (2020, March 05). Petróleos Mexicanos. Retrieved November 27, 2020, from
https://www.pemex.com/nuestro-negocio/pep/Paginas/default.aspx
 [8] Huawei. (n.d.). Digital Pemex: Increasing Efficiency and Profitability in a More Competitive
Scenario. Retrieved December 01, 2020, from https://e.huawei.com/topic/leading-new-ict-
en/digital-pemex-case.html
 [9] Barrera, A., & Satter, R. (2019, November 13). Hackers demand $5 million from Mexico's
Pemex in cyberattack. Retrieved December 01, 2020, from https://www.reuters.com/article/us-
mexico-pemex-idUSKBN1XN03A
 [10] Nava, D., & Sánchez, I. (2019, November 14). Esto es lo que sabemos del ataque cibernético
a Pemex. Retrieved November 30, 2020, from https://www.elfinanciero.com.mx/economia/esto-
es-lo-que-sabemos-del-ataque-cibernetico-a-pemex
 [11] Argire, I. (2019, November 12). Mexican Oil Company Pemex Hit by Ransomware. Re-
trieved November 30, 2020, from https://www.securityweek.com/mexican-oil-company-pemex-
hit-ransomware
 [12] Yehoshua, M. (2019, November 14). Ransomware Attack At Mexico's Pemex Could Have
Been Avoided. Retrieved November 26, 2020, from https://blog.scadafence.com/ransomware-
attack-at-mexicos-pemex-could-have-been-avoided

César Omar Cisneros M. 9

 [13] Hernández, A. (2018, September 26). Costó cibercrimen 7 mil mdd en México en 2017: Tel-
mex. Retrieved December 01, 2020, from https://www.eluniversal.com.mx/cartera/nego-
cios/costo-cibercrimen-7-mil-mdd-en-mexico-en-2017-telmex

 [14] México. (2017). Estrategia Nacional de Ciberseguridad. Retrieved 2020, from

https://www.gob.mx/cms/uploads/attachment/file/271884/Estrategia_Nacional_Ciberseguri-
dad.pdf

 [15] Memon, Z. (2019, March 01). Why You Still Don't Need Antivirus Software on Linux in
2020. Retrieved December 01, 2020, from https://linuxhint.com/why_no_antivirus_linux/

César Omar Cisneros M. 10