Attack alert: qilin targets Khazzan Logistics - OM

Introduction

On December 6, 2025, Khazzan Logistics, a major player in oil logistics in the Middle East with between 500 and 1,000 employees and revenues exceeding $100 million, was the victim of a cyberattack orchestrated by the Qilin ransomware group. This breach, classified as SIGNAL level according to our XC-Classify protocol, exposed highly strategic data in a critical infrastructure sector in Oman. The incident occurred amidst a surge in attacks targeting the regional energy supply chain, weakening an ecosystem where every logistical link is crucial to the stability of oil and gas flows.

The scale of this intrusion goes beyond simple data theft: it highlights the vulnerability of critical infrastructure to sophisticated malicious actors. Khazzan Logistics, founded in 2010 and specializing in logistics coordination for the energy industry, manages highly sensitive information including commercial contracts, convoy geolocation data, and strategic infrastructure diagrams. The compromise of such digital assets could have cascading repercussions across the entire transportation sector in the Middle East, a region where the security of energy supplies is a major geopolitical issue.

Analyse détaillée

This attack illustrates Qilin's escalation strategy, which now targets regional organizations with high-value data, beyond traditional Western victims. The incident raises urgent questions about the cybersecurity preparedness of regional logistics players and the need to strengthen security protocols in a sector where business continuity cannot tolerate any interruption.

How Qilin Compromised Khazzan Logistics, Transportation in the Middle East

The intrusion detected on December 6, 2025, at Khazzan Logistics bears the characteristic operational signature of Qilin, a ransomware group known for its targeted campaigns against critical infrastructure. Although the initial attack vectors are still being analyzed, the cybercriminal collective's modus operandi suggests a likely combination of exploiting unpatched vulnerabilities and advanced social engineering techniques, recurring tactics observed in their recent attacks against the energy sector.

The nature of the exposed data—energy contracts, geolocation information, and critical infrastructure diagrams—indicates a methodical exfiltration targeting high-value digital assets. This selectivity suggests a thorough preliminary reconnaissance phase, allowing the attackers to identify and prioritize the most sensitive information to maximize leverage during ransom negotiations.

The impact of this breach extends far beyond Khazzan Logistics. As a key link in the Omani oil and gas supply chain, the company coordinates critical flows, the disruption of which could affect the regional stability of energy supplies. The potential disclosure of geolocation data and infrastructure diagrams represents a major security risk, exposing strategic facilities to possible subsequent physical or cyberattacks.

The timing of the attack, in early December, coincides with a period of increased logistics activity in the energy sector, thus maximizing operational pressure on the compromised organization. This tactical synchronization illustrates the growing sophistication of ransomware actors in targeting their victims over time.

Qilin: Modus Operandi, History, and Victims of the Ransomware Group

Qilin, also known as Agenda, operates according to a Ransomware-as-a-Service (RaaS) model, which allows it to amplify its impact by recruiting affiliates tasked with executing intrusions. Active for several years, this cybercriminal collective specializes in double extortion attacks, combining system encryption with the threat of public disclosure of exfiltrated data to force victims to pay.

The group's modus operandi favors diverse intrusion vectors: exploiting vulnerabilities in exposed network equipment, compromising privileged accounts via targeted phishing, and abusing poorly secured Remote Desktop Protocol (RDP) configurations. Once initial access is gained, the attackers deploy sophisticated lateral movement techniques to map the target environment and identify critical digital assets before mass exfiltration.

Qilin's recent history reveals a marked geographic expansion strategy, with documented victims in North America, Europe, and now the Middle East. The group has demonstrated a remarkable ability to adapt to defensive countermeasures, regularly updating its encryption tools and evasion techniques to circumvent traditional detection solutions.

Notable victims include organizations in the healthcare, education, and critical infrastructure sectors, demonstrating an opportunistic approach targeting organizations with high operational pressures. Qilin's RaaS structure facilitates this sector diversification, with each affiliate contributing their expertise in specific niches while benefiting from the group's centralized technical infrastructure.

The business model relies on revenue sharing between ransomware operators and affiliates, incentivizing the latter to select high-paying and critical victims. This professionalization of cybercrime transforms Qilin into a truly malicious enterprise, with dedicated technical support, trained negotiators, and a sophisticated cryptocurrency payment infrastructure to guarantee transaction anonymity.

Khazzan Logistics: Company Profile - Transportation (500-1000 employees) - OM

Since its founding in 2010, Khazzan Logistics has established itself as a key player in oil and gas logistics in the Middle East, orchestrating critical flows for the Omani energy industry. With a workforce of between 500 and 1,000 employees and revenues exceeding $100 million, the company coordinates complex operations requiring seamless synchronization between land and sea transport and the management of strategic port infrastructure.

Khazzan Logistics' specialization in the energy sector involves the daily handling of highly sensitive data: commercial contracts detailing volumes and prices negotiated with major oil companies, real-time geolocation information for convoys transporting hydrocarbons and equipment, and technical diagrams of critical logistics infrastructure. This concentration of strategic digital assets makes the organization a prime target for malicious actors seeking to monetize high-value intelligence.

Based in Oman, an oil and natural gas producing country whose economy is heavily dependent on energy exports, Khazzan Logistics operates in a complex geopolitical environment where security of supply is a matter of national sovereignty. The company provides logistical links to Asian, European, and African markets, positioning the Sultanate as a key regional energy hub.

Khazzan Logistics' importance in its sector lies in its ability to guarantee the continuity of energy flows despite the extreme geographical and climatic constraints of the Persian Gulf. Any disruption to its operations could trigger cascading delays affecting the delivery of hydrocarbons to dependent international markets, with potentially significant economic repercussions.

The compromise of this organization exposes not only its own digital assets but also those of its business partners: national oil companies, shipping companies, port operators, and end customers. This interconnectedness transforms the incident into a systemic threat to the entire regional energy logistics ecosystem, considerably amplifying the security stakes beyond the immediate perimeter of the compromised company.

Technical Analysis: Exposure Level

Conclusion

The SIGNAL classification assigned to this attack by our XC-Classify protocol indicates confirmed data exposure, but the precise extent of this exposure is still being assessed. This level, distinct from MINIMAL, PARTIAL, or FULL classifications, signals the detection of a confirmed compromise requiring active monitoring to quantify the actual impact on affected individuals and systems.