ACWA Power INC Ransom Exfiltrates 400GB from PIF-Backed Energy Giant

• .What: INC Ransom exfiltrated 400GB of sensitive operational, financial, and personnel data from Saudi Arabia's largest private energy company.
• .Who: ACWA Power (Tadawul: 2082), PIF-backed (44%), operating 108 assets across 15 countries, serving 75 million people with power and 34 million with clean water. SAR 7.41B ($1.97B) FY2025 revenue. ~4,000 employees.
• .How: Double-extortion ransomware. INC Ransom's documented initial access includes exploitation of Citrix NetScaler (CVE-2023-3519), Fortinet EMS (CVE-2023-48788), Citrix Bleed 2 (CVE-2025-5777), and spearphishing. Specific vector for ACWA Power undisclosed.
• .Data: Engineering drawings for power/desalination/hydrogen infrastructure, technical specifications, ISO certifications, financial records, invoices, HR records, employee personal information, backup data, design software archives.
• .Actor: INC Ransom (MITRE G1032 / GOLD IONIC). RaaS since July 2023. 730+ total victims. Source code sold for $300,000 (May 2024); derivative Lynx ransomware emerged July 2024.
• .Impact: No public statement from ACWA Power. NEOM Green Hydrogen ($8.4B), Sudair Solar (1,500 MW) engineering data potentially compromised. CMA material disclosure obligations triggered. PDPL fines up to SAR 5M per violation.

On February 24, 2026, INC Ransom added ACWA Power to its Tor-hosted data leak site alongside Larsen & Toubro, an Indian engineering conglomerate. The group published internal documents as proof of compromise and claimed possession of 400 gigabytes of exfiltrated data.

A preliminary review of the posted file tree indicated directories containing HR records, financial files, backup folders, design software archives, and employee data repositories.

The listing followed the group's attack on Omrania & Associates one month earlier, in which INC Ransom published 4 terabytes of data from the Saudi architecture firm after ransom negotiations apparently failed.

Both targets hold engineering drawings and technical specifications for Saudi critical infrastructure projects.

The sequential targeting of two Saudi entities holding Vision 2030 infrastructure blueprints within 30 days suggests deliberate campaign planning, not opportunistic access.

ACWA Power had just completed a corporate rebrand in January 2026, changing its name to "Acwa" and announcing a target of $250 billion in assets under management by 2030. The company reported SAR 1.9 billion net profit for FY2025 (adjusted net profit up 60% YoY), with revenue of SAR 7.41 billion ($1.97B) and a record SAR 70.1 billion ($18.7B) in project financial closings.

As of March 25, 2026, the company has issued no public acknowledgment, no Tadawul disclosure, and no media statement.

INC Ransom (tracked as G1032 by MITRE ATT&CK and GOLD IONIC by SecureWorks) is a Ransomware-as-a-Service operation that emerged in July 2023.

live tracks 730+ victims as of March 2026, with the group ranking third among all ransomware operations in H2 2025 (213 victims) and consistently in the top 10. Affiliates conduct attacks and retain 70-80% of ransom payments.

The group operates a double-extortion model with data exfiltrated before encryption.

In May 2024, the source code (Windows and Linux/ESXi variants, AES-128 CTR + Curve25519 Donna encryption) was sold on Exploit and XSS forums for $300,000, leading to the emergence of Lynx ransomware (48-70% code similarity) by July 2024.

INC's documented initial access methods include exploitation of CVE-2023-3519 (Citrix NetScaler RCE), CVE-2023-48788 (Fortinet EMS SQL injection), CVE-2024-57726/57727/57728 (SimpleHelp RMM), and CVE-2025-5777 (Citrix Bleed 2, CISA KEV).

Post-exploitation: PsExec (renamed "winupd"), WMI, RDP for lateral movement; NTDS/Mimikatz for credential dumping; 7-Zip/WinRAR for staging; MEGASync/Rclone for exfiltration; SystemSettingsAdminFlows.exe to disable Defender.

CIS-origin indicators include Cyrillic keyboard layout kill switch in Lynx derivatives and consistent avoidance of CIS-nation targets.

Notable prior victims include NHS Dumfries & Galloway (3TB, children's mental health records, March 2024), McLaren Health Care (743,131 patients, cancer treatments delayed, August 2024), Pennsylvania Attorney General's Office (5.7TB, SSNs, August 2025), OnSolve CodeRED emergency alert system (10,000+ municipalities, November 2025), and Omrania & Associates (4TB, Saudi architecture, January 2026).

Published proof samples and file tree analysis indicate:

Engineering drawings and technical specifications for power generation, water desalination, and green hydrogen infrastructure.

These potentially cover the $8.4 billion NEOM Green Hydrogen facility (4 GW renewable, electrolyser specifications), Sudair Solar PV (1,500 MW), and operational plants across 15 countries.

Engineering drawings contain physical layouts, control system architectures, and safety system configurations that cannot be changed like passwords - once exposed, they permanently compromise the physical security posture of every depicted facility.

ISO certification documentation revealing the specific security and quality frameworks implemented - and by omission, controls that are not.

Financial records including invoices, payment schedules, and project budgets. For a company executing SAR 70.1B ($18.7B) in project closings annually, this exposes pricing structures, vendor relationships, and contractual terms.

Employee personal information and HR records for ~4,000 employees across 15 countries. Backup data and design software archives - indicating deep network penetration beyond front-line systems.

The presence of engineering drawings for critical infrastructure - power plants serving 75 million people, desalination serving 34 million - creates IT/OT convergence risk.

If drawings contain PLC, SCADA, or HMI specifications, they could enable cyber-physical attacks against industrial control systems.

1. Probable Initial Access via VPN/Remote Access Exploitation or Credential Compromise. INC's documented CVEs (Citrix, Fortinet, SimpleHelp, Citrix Bleed 2) all target remote access infrastructure. An energy company operating in 15 countries maintains extensive remote access.

If MFA was absent or misconfigured on any internet-facing gateway, a single credential or unpatched vulnerability provided the foothold.

2. Credential Harvesting and Privilege Escalation. INC's standard playbook includes NTDS.dit dumping and Mimikatz. A single domain admin credential provides keys to the entire AD forest.

3. Lateral Movement Across Unsegmented Network. The breadth of data types - HR, finance, engineering, ISO, backups - indicates insufficient segmentation. Engineering drawings for critical infrastructure should be air-gapped.

The fact that they were accessible from the same path as HR records indicates flat architecture.

4. 400GB Exfiltration Without Detection. MEGASync/Rclone exfiltration of 400GB represents a sustained operation over days or weeks without triggering DLP alerts.

5. Detection Failure. No evidence of early detection or containment has been reported. SIEM/UEBA either did not exist, were not tuned, or generated unactioned alerts.

Saudi Arabia:

• .PDPL Article 19 - 72-hour notification to SDAIA + individual notification without delay. All breaches reportable. Fine: up to SAR 5M per violation; doubled for repeats.
• .PDPL Article 14 - Security measures including encryption, access controls, NCA baseline. Independent violation.
• .PDPL Criminal Provisions - Intentional disclosure: imprisonment up to 2 years + SAR 3M fine.
• .NCA Essential Cybersecurity Controls (ECC-2: 2024) - 114 mandatory controls for Critical National Infrastructure. ACWA Power's energy/water operations qualify as CNI.
• .NCA Critical Systems Cybersecurity Controls (CSCC) - Additional mandatory controls.
• .Anti-Cyber Crime Law (Royal Decree M/17) - Penalties for compromising data affecting national security or economy. Engineering drawings for infrastructure serving 75M+ people qualify.
• .CMA Listing Rules - Immediate disclosure of material developments. A 400GB exfiltration from a SAR 130B company is unambiguously material. No Tadawul disclosure filed as of March 25.
• .SDAIA Enforcement - 48 enforcement decisions in 2025 confirming active posture.

UAE (Taweelah, Noor Energy 1, Dubai operations):

• .UAE PDPL (Federal Decree-Law No. 45/2021) - Fines up to AED 10M if UAE data included.

Oman (operational presence - full PDPL enforcement began Feb 5, 2026):

• .Oman PDPL - If Omani personnel data included.

Morocco (Noor Complex):

• .Law 09-08 - CNDP enforcement for Moroccan employee data.

South Africa (Bokpoort):

• .POPIA - Information Regulator enforcement.

Egypt, Jordan, Azerbaijan, Uzbekistan, Indonesia, Vietnam, China, Turkey:

• .Various national data protection laws potentially triggered.

• .If EU citizen data present (European contractors, partners like thyssenkrupp/Air Products). Fines up to EUR 20M or 4% of $1.97B revenue (~$78.8M).

1. Phishing-resistant MFA on all internet-facing infrastructure. INC Ransom's four documented initial access vectors are all neutralized or significantly mitigated by FIDO2 hardware keys on VPN gateways and administrative interfaces.

2. Network segmentation isolating engineering/OT documentation. Engineering drawings for critical infrastructure - power plants, desalination, hydrogen - must reside in a segmented enclave with separate authentication and monitoring.

Never accessible via the same lateral movement path as HR and finance.

3. DLP at network egress with volumetric alerting. 400GB sustained exfiltration should trigger immediate automated alerting. Rclone and MEGASync traffic patterns should be blocked at proxy/firewall level.

4. EDR tuned for ransomware pre-encryption behavior. INC's toolkit (PsExec renamed "winupd," NTDS dumping, Mimikatz, Defender disablement) is all detectable. Credential Guard should prevent LSASS harvesting.

5. Privileged Access Management with tiered model. No single account should access both corporate IT and engineering document repositories. Just-in-time access with mandatory approval for Tier 0 accounts.

6. Continuous vulnerability management prioritizing CISA KEV. CVE-2023-3519, CVE-2023-48788, CVE-2025-5777 all on CISA KEV. Sub-72-hour patch cycle for KEV entries.

7. CMA-compliant cybersecurity incident disclosure playbook. ACWA Power's silence as a Tadawul-listed company raises serious compliance questions. Pre-established disclosure workflows with legal/comms/board approval would ensure regulatory obligations are met.

TechNadu, TechEduByte, BreachSense, MITRE ATT&CK (G1032/S1139), MOXFIVE, Blackpoint Cyber, SentinelOne, Unit 42, BleepingComputer, Halcyon, Ransomware.live, CYFIRMA, CM-Alliance, DBDigest, ACWA Power Annual Report 2024, ACWA Power FY2025 Results, PIF Portfolio, Tadawul, Zawya, SolarQuarter, IAPP, Baker McKenzie, NCA (ECC Framework), NEOM Green Hydrogen Company