Cyber-attacks on German Oil Companies

This week German oil companies, Mabanaft GmbH and Oiltanking GmbH, both reported to have been attacked by a cyber incident. The attacks were reported on January 29th, 2022. Both the companies operate storage tank terminals for oil, gas and chemicals. They also manage supply chains connecting to gas stations. The impact on their IT systems has been felt all the way down to end consumers. The head of Germany’s IT Security Agency, Arne Schoenbohm, announced in a press conference that 1.7% of the country’s gas stations have been impacted.

Reports have suggested the impact has rendered it impossible to change prices and accept credit card payments. Some stations were forced to resort to cash payments to stay operational.

Although German regulators do not asses the attack to have an impact on the overall fuel supply in the country, the attacks do not seem to be limited to these two companies. Wisag, a German aviation fuel company, reported that their systems may have been compromised as well while Evos Group reported similar impact at their terminals in the Netherlands, Belgium and Malta. Although no direct correlation has been found between the attacks to suggest large scale coordination, the timing of all the attacks clearly seem to overlap.

There is speculation on how the attacks were triaged and who is responsible. It is believed that the attack has been caused by the "Black Cat" ransomware. There are some indications that the attackers may have leveraged on loopholes in Microsoft Exchange and the Zoho Adself Service Plus1 software. It has been suggested that the dark web group APT27 may be responsible for it, while others are suspecting a link to the current Russia-Ukraine conflict.

Cyber-attacks on key infrastructure like oil of this sort are on the rise. Last year US oil giant, Colonial Pipeline, was also hit with a ransomware. The impact on their systems was felt through Southeastern United States. Supplies across the region were disrupted. The severity was so large the US government had to step in. The case was eventually settled for a ransom of $11 million. The attack is blamed on the DarkSide group. Quite interestingly, the group shut down soon after the attack and US administrators reported that the mastermind of the attack was later captured by the Russian security service.

If the stakes become too big, sometimes the attackers may be brought to justice, but the impact that companies have to deal with are overbearing. The havoc on local economies is uncalled for.

Generally, the attacks are directed at large companies. Large companies have substantial market share rendering their services quite essential within the scope of their industry. Being able to bring the operations of such a company to halt makes it easier for attackers to bargain. They are the ones with the money and most likely to pay up and resume operations. The longer you are out of operations, the more money you lose and the more likely are you to lose business to your competitors. In the current case – Royal Dutch Shell was forced to reroute their supplies away from Mabanaft and Oiltanking to other storage facilities.

Although it is a conundrum – do you stand up to the attackers or do you reduce losses – the choice has seemed to be the latter in many instances. Pay up now and ramp up your security. It solves the problem for the moment, but leaves an opening for future incidents on others. Despite the sophistication of modern technology systems, hackers have always found a way to beat them. We do not hear about all the incidents, but they are happening all the time.

The importance of securing your infrastructure has only become dire by the day. Cyber security software is continuously evolving to tackle the persistent threat. Incident response systems have been built around them to help enable resolutions and minimize losses by identifying the issues faster. Only companies with a comprehensive systematic approach to incident management seem to be the ones best equipped to handle cyber-attacks.