Cyber attacks on European oil facilities spreading

A series of cyber attacks targeting oil distribution terminals and other facilities in Europe has authorities on high alert, given rising fuel prices and the threat of supply disruption should the political crisis in Ukraine escalate into conflict.

The first incident to come to light took place at two German oil companies, OilTanking and Mabanaft, which operate under the same Hamburg-based parent, Marquard & Bahls, a logistics specialist. This ongoing attack, which, it has emerged, is very likely the work of the BlackCat ransomware group, has had a small impact on retail fuel supplies in Germany.

It is now emerging that a series of other attacks are also taking place, hitting oil terminals belonging to various organisations operating at the ports of Antwerp and Ghent in Belgium, and Amsterdam and Terneuzen in the Netherlands. These facilities are operated by logistics and shipping organisations SEA-tank – part of the larger SEA-invest group – and Evos, to which OilTanking sold a number of facilities last year, as well as OilTanking itself.

The incidents are mainly affecting the loading and unloading of cargo at the impacted facilities, and it can be expected that should normal operations not resume soon, these impacts will spread into the shipping and logistics sector.

It is understood that the Belgian authorities and the Dutch National Cyber Security Centre are investigating the incidents, and are being supported by Europol. A spokesperson for the Dutch NCSC told Computer Weekly it did not believe the attacks were coordinated, but it is continuing to monitor the situation. Europol did not comment further but to confirm its involvement.

Dominic Trott, UK product manager at Orange Cyberdefense, commented: “Critical national infrastructure [CNI] is becoming an increasingly popular target for malicious actors due to the devastating impacts downtime and delays in this sector can have. You only have to look back at last year’s fuel crisis or the attack on US supplier Colonial Pipeline to see this in action.

“In this attack, the impacts have already spread far further than the three countries where these businesses are based, with the connected nature of the global supply chains resulting in ports in Africa and across Europe more widely also being affected.”

Although it is far too early in any investigation to necessarily draw links between this series of incidents, a number of possible scenarios may be unfolding, of which the most impactful would clearly be a link to the Ukraine crisis. Armed conflict in Ukraine would likely impact supplies of fossil fuels from Russia into Europe and it is certainly possible this could be some kind of advance operation.

Dennis Hackney, head of industrial cyber security services development at risk consultancy ABS Group, reiterated that at this stage, the attacks cannot be attributed to any uncategorised or known advanced persistent threat (APT) groups backed by Russia. “However,” he said, “these attacks are in line with the tactics and techniques Russia has used in the past. Historically, when the Russian agenda is compromised, cyber attacks arise, impacting Europe’s gas and oil supply.”

Equally possible, and perhaps more likely given the possible involvement of the BlackCat ransomware group, which has links to the likes of REvil, is that the incidents are linked through a compromised piece of software used by all the victims – a classic supply chain attack akin to that perpetrated by REvil on Kaseya.

What is clear is that organisations termed as CNI, which includes the distribution of fuel supplies, are uniformly at high risk. Indeed, research conducted by Bridewell Consulting suggests that 86% of CNI organisations have detected cyber attacks on their operational technology (OT) or industrial control systems (ICS) in the past 12 months, with 93% of those saying at least one of those attempts had got through.

Concerningly, the research also suggested a degree of misplaced confidence, with clear majorities saying they were confident their OT systems were fully protected. Bridewell said there was evidence of reliance on ageing legacy infrastructure, and too much trust being placed in suppliers.

“Security vulnerabilities, while challenging to remediate within some CNI organisations, could have serious implications, not just in terms of substantial monetary fines but also risks to public safety and even loss of life, so organisations simply cannot afford to be complacent,” said Bridewell co-CEO Scott Nicholson.

“Legislation like the NIS Directive and NIS Regulations has certainly helped to improve cyber security in the sector, but there is still room for improvement.”

This article was updated at 3.24pm on Friday 4 January to correct a misattributed quote to Dennis Hackney of ABS Group, and to add additional information from Europol and the Dutch NCSC.