A cyber attack paralyzes the terminals of European oil ports


Business Continuity Management / Disaster Recovery, Critical Infrastructure Security, Cybercrime

Seventeen port terminals in Western Europe targeted by ransomware

Prajeet Nair (@prajeetspeaks) •
February 5, 2022

Oil port terminals affected by ransomware (Source: ISMG archive photo)

A large-scale ransomware attack has disrupted operations at oil terminals in Belgium, Germany and the Netherlands.

See also: Live Webinar | Nuclear Ransomware 3.0: We thought it was bad and then it got even worse

This massive attack crippled IT systems affecting dozens of terminals affecting oil storage and transportation around the world, including Oiltanking in Germany, SEA-Invest in Belgium and Evos in the Netherlands.

This cyberattack also led to difficulties in loading and unloading refined product shipments at six oil storage terminals in the Amsterdam-Rotterdam-Antwerp refining hub, according to the news.

Attack Impact

“The latest large-scale ransomware attack targeted oil port terminal software in at least 17 Western European ports, redirecting tankers and significantly disrupting supply chains,” according to the global law firm, Baker’s boots.

The latest report says Belgian prosecutors immediately opened an investigation into the attack on the oil installations which began on January 29.

“Oiltanking GmbH Group and Mabanaft Group GmbH & Co. KG (Mabanaft) have discovered that we have been the victim of a cyber incident affecting our IT systems. Upon learning of the incident, we immediately took action to enhance the security of our systems and processes. and has launched an investigation into the matter. We are working to resolve this issue in accordance with our contingency plans, as well as to understand the full scope of the incident,” said the German company in a press release. declaration.

Oiltanking, which belongs to the Hamburg group of companies Marquard and Bahls, also says it is carrying out a thorough investigation with external specialists and is working closely with the competent authorities.

Mineral oil trader Mabanaft, which belongs to the same group of companies, was also attacked.

“We are committed to resolving the issue and minimizing the impact as quickly and efficiently as possible. We will keep our customers and partners informed and provide updates as more information becomes available,” the German company said.

The 17 impacted terminals include those in Hamburg, Ghent, Antwerp-Zeebrugge and Rotterdam. Baker Botts says full extent of attacks not yet known; reports indicate that ransomware attacks targeting software at port terminals have prevented them from processing barges, causing re-routing and congestion while preventing tankers from loading and unloading.

Greg Day, Vice President, Global Field CSO at Cybereason, says that with global tensions impacting oil and gas access and availability, we can speculate whether these recent attacks on oil suppliers across Europe are designed to inflame existing tensions between some of the countries involved, or if the aim is more traditional profit, as there has been a lot of media coverage of rising gas and oil prices .

Black cat ransomware

The German newspaper Handelsblatt first announced the attack on the German company and accessed internal documents from the German Federal Office for Information Security that identified the BlackCat group as the ransomware actor responsible for the attack.

“Due to the shutdown of the Oiltanking tank farms, the petrol stations of medium-sized companies as well as large customers such as Shell can no longer be supplied. The operation must be done manually, 233 petrol stations, especially in northern Germany, are concerned”, according to the German newspaper.

Unit 42, the threat intelligence arm of security firm Palo Alto Networks, says that in just one month, cybercrime group BlackCat has carried out high-impact ransomware attacks against international organizations and risen to the top. seventh place in the ranking of global ransomware groups. The ranking is based on the number of victims listed on BlackCat’s data leak site.

The Blackcat ransomware group first came into the limelight in mid-November 2021 after targeting organizations in the United States, Europe, and the Philippines, in addition to other locations. Its targets included pharmaceutical companies and companies engaged in construction and engineering, retail, transportation, insurance, telecommunications, and automotive component manufacturing (see: Rust-coded malware key factor in BlackCat’s meteoric rise).

According to the findings of the Indian cybersecurity company CloudSEK, BlackCat or ALPHV was a former member of the REvil group. According to the report, a member of the LockBit ransomware group claimed that BlackCat is a rebranded version of the BlackMatter or DarkSide ransomware group.

Scott Connarty, general counsel at cybersecurity firm Adarma, says this major ransomware attack in the oil and gas sector is worrying because it is yet another attack targeting critical infrastructure to hamper supply chains and cause as much economic disruption as possible.

“This latest attack should be a further reminder of the ever-increasing frequency, sophistication and severity of cyberattacks we all face. of ransomware like this may depend on a company’s continued ability to do business and the extreme pressure placed on a management team to successfully weather such a crisis. their cybersecurity has never been more evident,” Connarty told Information Security Groupe Média.

Stanislav Sivak, Associate Software Security Management Consultant at Synopsys Software Integrity Group, says that although there is not much information available on motivation, impact and attack vector so far , it is interesting to see that even some organizations less known to the public such as gasoline distributors are attracting the attention of cyber attackers these days.

“This is the case with all critical pieces of infrastructure, you don’t notice they exist, until they don’t. It’s a perfect example of how software risk amounts to business risk Fortunately, in this case, either due to other controls offsets or the scale of the attack, the impact is limited to a partial denial of service and it appears that no data breach occurs. be produced,” says Sivak.


Comments are closed.