Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Cyberattack Cripples European Oil Port Terminals17 Port Terminals in Western Europe Targeted by Ransomware
A large-scale ransomware attack has disrupted operations at oil terminals in Belgium, Germany and the Netherlands.
See Also: Cyberwarfare in the Russia-Ukraine War
This massive attack crippled IT systems, affecting dozens of terminals, oil storage and transport around the world, including Oiltanking in Germany, SEA-Invest in Belgium and Evos in the Netherlands.
The cyberattack has also resulted in difficulty loading and unloading refined product cargoes at six oil storage terminals in the Amsterdam-Rotterdam-Antwerp refining hub, according to news reports.
"The latest large-scale ransomware attack has targeted oil port terminal software in at least 17 ports in Western Europe, re-routing tankers and significantly disrupting supply chains," according to global law firm Baker Botts.
The latest report says that Belgian prosecutors have immediately launched an investigation into the attack upon oil facilities that began on Jan. 29.
"Oiltanking GmbH Group and Mabanaft GmbH & Co. KG (Mabanaft) Group discovered we have been the victim of a cyber-incident affecting our IT systems. Upon learning of the incident, we immediately took steps to enhance the security of our systems and processes and launched an investigation into the matter. We are working to solve this issue according to our contingency plans, as well as to understand the full scope of the incident," the German company says in a statement.
Oiltanking, which belongs to the Hamburg group of companies Marquard and Bahls, also says that it is undertaking a thorough investigation, together with external specialists, and is collaborating closely with the relevant authorities.
The mineral oil dealer Mabanaft, which belongs to the same group of companies, was also attacked.
"We are committed to resolving the issue and minimizing the impact as quickly and effectively as possible. We will be keeping our customers and partners informed and provide updates as soon as more information becomes available," the German company says.
The 17 terminals affected include those in Hamburg, Ghent, Antwerp-Zeebrugge and Rotterdam. Baker Botts says that the full extent of the attacks is not yet known; reports indicate that ransomware attacks targeting the port terminals' software have prevented them from processing barges, resulting in rerouting and congestion while preventing tankers from loading and unloading.
Greg Day, vice president and global field CSO at Cybereason, says that with the global tensions affecting the access and availability of oil and gas, we can speculate if these recent attacks on oil suppliers throughout Europe are designed to inflame existing tensions between some of the countries involved or if the goal is more traditional profiteering, as there has been plenty of media coverage on increasing gas and oil prices.
Black Cat Ransomware
The German newspaper Handelsblatt first broke news of the attack on the German company and accessed internal documents from Germany’s Federal Office for Information Security that identified the BlackCat ransomware group as being responsible for the attack.
"Due to the paralysis of Oiltanking's tank farms, filling stations of medium-sized companies as well as major customers such as Shell can no longer be supplied. The operation has to be done manually, 233 gas stations, especially in northern Germany, are affected," according to the German newspaper.
Unit 42, the threat intelligence arm of security firm Palo Alto Networks, says that in just a month the BlackCat cybercrime group has carried out high-impact ransomware attacks on international organizations and risen to seventh place in the ranking of global ransomware groups. The ranking is based on the number of victims listed on BlackCat's data leak site.
The BlackCat ransomware group first came into the limelight in mid-November 2021 after targeting organizations in the U.S., Europe and the Philippines, in addition to other locations. Its targets included pharmaceutical companies and firms engaged in construction and engineering, retail, transportation, insurance, telecommunication and auto component manufacturing (see: Rust-Coded Malware Key Factor in BlackCat's Meteoric Rise).
According to findings by Indian cybersecurity company CloudSEK, BlackCat - or Alphv - was a former member of the REvil group. A member of the LockBit ransomware group, the report says, has claimed BlackCat is a rebranded version of the BlackMatter or DarkSide ransomware group.
Scott Connarty, general council at cybersecurity firm Adarma, says this significant ransomware attack in the oil and gas sector is worrisome because it targets critical infrastructure to impede supply chains and cause as much economic disruption as possible.
"This latest attack should be a further reminder of the ever-increasing frequency, sophistication and severity of cyberattack we all face. Having experienced a very similar cyberattack in a previous company, I unfortunately know how crippling a ransomware incident like this can be on a company's continued ability to trade and the extreme pressure that is heaped onto an executive team to successfully navigate through such a crisis. The importance of all businesses constantly managing their cybersecurity has never been more apparent," Connarty tells Information Security Media Group.
Stanislav Sivak, associate managing software security consultant at the Synopsys Software Integrity Group, says while there isn’t much information available on the motivation, impact and attack vector so far, it is interesting to see that even some not so publicly known organizations such as petrol distributors are getting attention from cyberattackers nowadays.
"This is the case for all critical infrastructure elements. You don’t notice they exist until they don’t. This is a perfect example of how software risk equates to business risk. Fortunately, in this instance, either due to other compensating controls or the breadth of the attack, the impact is limited to a partial denial of service and it seems that no data breach has occurred," Sivak says.