The ransomware attack affected dozens of terminals, oil storage and transport around the world, including Oiltanking in Germany, SEA-Invest in Belgium and Evos in the Netherlands.
“The latest large-scale ransomware attack has targeted oil port terminal software in at least 17 ports in Western Europe, re-routing tankers and significantly disrupting supply chains,” according to global law firm Baker Botts.
The 17 terminals affected include those in Hamburg, Ghent, Antwerp-Zeebrugge and Rotterdam. Baker Botts says that the full extent of the attacks is not yet known, reports indicate that ransomware attacks targeting the port terminals’ software have prevented them from processing barges, resulting in rerouting and congestion while preventing tankers from loading and unloading.
The cyberattack has also resulted in difficulty loading and unloading refined product cargoes at six oil storage terminals in the Amsterdam-Rotterdam-Antwerp refining hub, according to news reports.
Oiltanking Response to the Ransomware Incident
“Oiltanking GmbH Group and Mabanaft GmbH & Co. KG (Mabanaft) Group discovered we have been the victim of a cyber-incident affecting our IT systems. Upon learning of the incident, we immediately took steps to enhance the security of our systems and processes and launched an investigation into the matter. We are working to solve this issue according to our contingency plans, as well as to understand the full scope of the incident,” the German company says in a statement.
Oiltanking, which belongs to the Hamburg group of companies Marquard and Bahls, also says that it is undertaking a thorough investigation, together with external specialists, and is collaborating closely with the relevant authorities.
The mineral oil dealer Mabanaft, which belongs to the same group of companies, was also attacked.
“We are committed to resolving the issue and minimizing the impact as quickly and effectively as possible. We will be keeping our customers and partners informed and provide updates as soon as more information becomes available,” the German company says.
The BlackCat Cybercrime Group
The German newspaper Handelsblatt first broke news of the attack on the German company and accessed internal documents from Germany’s Federal Office for Information Security that identified the BlackCat ransomware group as being responsible for the attack.
“Due to the paralysis of Oiltanking’s tank farms, filling stations of medium-sized companies as well as major customers such as Shell can no longer be supplied. The operation has to be done manually, 233 gas stations, especially in northern Germany, are affected,” according to the German newspaper.
Unit 42, the threat intelligence arm of security firm Palo Alto Networks, says that in just a month the BlackCat cybercrime group has carried out high-impact ransomware attacks on international organizations and risen to seventh place in the ranking of global ransomware groups.
The BlackCat ransomware group first came into the limelight in mid-November 2021 after targeting organizations in the U.S., Europe and the Philippines, in addition to other locations. Its targets included pharmaceutical companies and firms engaged in construction and engineering, retail, transportation, insurance, telecommunication and auto component manufacturing
According to findings by Indian cybersecurity company CloudSEK, BlackCat – or Alphv – was a former member of the REvil group. A member of the LockBit ransomware group, the report says, has claimed BlackCat is a rebranded version of the BlackMatter or DarkSide ransomware group.
Attacks to Critical Infrastructure
Scott Connarty, general council at cybersecurity firm Adarma, says this significant ransomware attack in the oil and gas sector is worrisome because it targets critical infrastructure to impede supply chains and cause as much economic disruption as possible.
“This latest attack should be a further reminder of the ever-increasing frequency, sophistication and severity of cyberattack we all face. Having experienced a very similar cyberattack in a previous company, I unfortunately know how crippling a ransomware incident like this can be on a company’s continued ability to trade and the extreme pressure that is heaped onto an executive team to successfully navigate through such a crisis. The importance of all businesses constantly managing their cybersecurity has never been more apparent,” Connarty tells Information Security Media Group.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.