+44 (0) 203 189 1422

Cyber-Attack Timeline: Halliburton

Educational & easy-to consume visual guides to understanding attacks & enhancing resilience

Halliburton Attack Timeline Halliburton Cyber Attack Timeline Summary

Download Our Educational Cyber-Attack Timeline: Halliburton

Halliburton, one of the largest Oilfield Services Companies globally, announced that an unauthorised third party had infiltrated some of its systems. In a day, it was verified that the breach was a cyber attack, leading to disruptions in Halliburton's operations. 

The $23-billion oil drilling and fracking powerhouse which employs nearly 48,000 people, allegedly negotiated with the ransomware hackers under intense pressure from its stakeholders. The company also launched an investigation with the support of external advisors to assess and remediate the unauthorised activity. However, many employees claimed that they did lose access to critical systems as a result of the attack. 

Find out everything that happened on this massive ransomware assault on an industry giant in our Halliburton Cyber Attack Timeline Documents.  

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

  • ** GDPR ** We wholeheartedly believe your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data. 
  • Align with the GDPR requirements.
  • Increase your Breach Readiness.
  • Reduce your time to detect and respond.

Complete the form below to receive a copy of the detailed Halliburton Attack timeline document and summary.

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

FAQs on the Halliburton Cyber Attack

  • What happened in the Halliburton cyber attack?

    In August 2024, Halliburton - one of the world's largest oilfield services companies - disclosed in a regulatory filing to the US Securities and Exchange Commission (SEC) that it had detected a cyber attack on its systems. The incident, later attributed by US authorities to the RansomHub ransomware group, forced Halliburton to take certain systems offline and caused operational disruptions across multiple departments, with its north Houston campus and some global connectivity networks directly affected. The company continued delivering products and services using backup systems, and no oil production or field services were reported to be affected.

  • When did the Halliburton cyber attack take place?

    Halliburton disclosed the attack in an SEC filing on 21 August 2024, with operational impact reported through 22-25 August 2024. The company officially confirmed the attack on 28 August 2024, and on 30 August 2024 US agencies issued a joint advisory naming RansomHub. Reports of ransom negotiations continued into early September 2024. Downtime and time to recover were each estimated at around a week.

  • Who was behind the Halliburton cyber attack?

    The attack was attributed to RansomHub, a prolific ransomware-as-a-service group. Suspicion centred on RansomHub from the outset, and on 30 August 2024 a joint advisory from CISA, the FBI, the HHS and the Multi-State Information Sharing and Analysis Center (MS-ISAC) formally identified the group as responsible. The advisory noted that RansomHub had affected over 210 organisations across critical sectors including energy, water, healthcare and financial services.

  • Was a ransom demanded in the Halliburton cyber attack?

    Reports from several outlets indicated that the attackers had exfiltrated sensitive data and were demanding a ransom of around $45 million, though Halliburton did not publicly verify this figure. By early September 2024, reporting suggested the company's legal and cybersecurity teams were negotiating with the attackers, with the details kept confidential. Halliburton has not publicly confirmed whether any ransom was paid.

  • What data was stolen or exposed in the Halliburton breach?

    Halliburton confirmed that some data had been stolen during the incident. Reporting indicated that financial data, employee records and proprietary information may have been accessed, although the company did not publish a full breakdown of the affected data. Halliburton stated it would notify affected parties as appropriate while its forensic investigation, supported by external advisors, continued.

  • How did the cyber attack impact Halliburton's operations?

    The attack caused operational disruptions across multiple departments. Employees reportedly lost access to critical systems, and some internal networks were taken offline as a precaution, affecting day-to-day operations at the company's north Houston campus and some global connectivity networks. Vendors and partners experienced slowdowns in communication and data transfers, creating supply-chain delays, although Halliburton continued to deliver products and services to customers using backup systems.

  • Was oil production or field services affected by the attack?

    No. Despite significant disruption to corporate systems and the north Houston campus, reporting indicated that Halliburton's oil production and field services were not affected. The company maintained delivery of products and services to customers throughout the investigation, with the main impact felt in corporate IT, internal networks and supply-chain communications rather than in field operations.

  • How did the cyber attack affect Halliburton's stock price?

    Halliburton's share price took a brief dip following the disclosure, reflecting investor concern over potential financial and reputational damage. News outlets reported that the stock fell by nearly 4%, reaching a new low for the year. Analysts estimated potential losses stemming from both the reported ransom demand and the disruption to business operations, although Halliburton did not publish an official cost figure at the time. 

  • What is RansomHub, the group linked to the Halliburton attack?

    RansomHub is a ransomware-as-a-service operation that became one of the most active ransomware groups of 2024, targeting organisations across critical infrastructure sectors. In the Halliburton case, US agencies confirmed RansomHub's involvement and shared indicators of compromise (IOCs), including a Windows executable named maintenance.exe identified as a RansomHub ransomware encryptor. The joint advisory noted that the group had affected more than 210 organisations across sectors such as energy, water, healthcare and financial services.

  • How long was Halliburton down and how long did recovery take?

    Downtime and time to recover were each estimated at around a week. From late August 2024, Halliburton proactively took certain systems offline to contain the incident, ran essential business functions on backup systems, and progressively restored services as its investigation continued. The company engaged Mandiant and other external advisors to support containment, forensic analysis and recovery. 

  • How did Halliburton and government agencies respond to the attack?

    Halliburton activated its cybersecurity response plan, proactively took certain systems offline, engaged external advisors including Mandiant, and notified law enforcement. It reported the breach to the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), and shared indicators of compromise with suppliers so they could detect related activity on their own networks. On 30 August 2024, CISA, the FBI, the HHS and MS-ISAC issued a joint advisory on RansomHub to help other organisations defend against similar attacks.

  • What can organisations learn from the Halliburton cyber attack?

    The Halliburton incident shows how a ransomware attack on corporate IT can disrupt operations across multiple departments, strain supply chains and dent investor confidence, even when core production continues. The key lessons are the value of rapid containment and proactive system isolation, tested incident response plans, strong third-party and supply-chain risk management, early engagement with law enforcement and forensic specialists, and clear stakeholder communication. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • The form above collects personal information so we may email you the requested information and pressing the "Get your free copy now"  button acts as informed consent for this processing purpose. Consequently we may be in touch to:

    • Update you when we host our ground-breaking Wisdom of Crowds events in your country or region.
    • Keep you posted on free resources and documents around Wisdom of Crowds events and its outputs. (For example, we tend to create insightful mind maps and we also are the creators of free to view Insights with Cyber Leaders Video Interviews. )
    • Ping you a note about upcoming FREE educational webinars on GDPR and Cybersecurity.
    • Inform you of any upcoming Data Breach Response or Cyber Incident Response training.  
  • Using the information from this page we will NOT sell or market to you any of our consultancy or trusted advisory services.  
  • In its purest interpretation, this act of us communicating with you is direct marketing and is processed on the basis of our legitimate interest and your engaging in our services. All marketing communication will include an unsubscribe button or other method of ending communication.