Following news of major cyberattacks on German-based oil storage companies, there are now reports of similar attacks in the Netherlands and Belgium. In recent days, reports emerged that the German-based facilities of the Oiltanking GmbH Group and Mabanaft Group had come under attack. Last Saturday, the companies stated, they had IT systems report incidents. The total impact of the attacks remains unclear, but external parties are working to deal with the situation and understand the threat. Most emphasis is currently being put on the restoration of operations to normal in the terminals. Up until now, it seems that only the Oiltanking Deutschland part of the operation has been affected. The German entity is part of Mabanaft. Oiltanking’s other global oil, gas, and chemical terminals all appear unaffected. Mabanaft’s German arm had “declared force majeure for the majority of its inland supply activities in Germany.” Analysts report that only 1.7% of Germany’s gas stations are being impacted at present. German news agency DPA reported that the cyberattack has not threatened the country’s fuel supplies.
Some analysts are, however, worried that these attacks are linked to the ongoing Ukraine-Russia conflict. Moscow has already threatened to shut off its pipelines in Europe if the Ukraine conflict escalates into a real conflict. While cyber-experts are playing down the possible link with Russia, it remains a real possibility that pro-Russian parties are trying to increase pressure on Berlin.
After news of the German attacks went public, new reports came out today suggesting that oil terminals in the Netherlands (Amsterdam, Terneuzen) and Belgium (Antwerp, Gent) have been hit too. Reports suggest oil vessels are having trouble loading and unloading their cargo in these ports. According to the Dutch website Marketscreener, six storage facilities of Sea Tank, Oiltanking, and Evos have been hit. When asked, the Dutch National Cyber Security Center (NCSC) stated that it seems not to be a coordinated attack. NCSC indicated that there could be a criminal motive behind it. Europe’s EUROPOL is also involved in the search for the culprits.
The German Federal Office for Information Security (BSI) stated in a report that the BlackCat ransomware group was behind the recent cyberattack on the two German oil companies. According to German newspaper Handelsblatt, who got access to the report, the Oiltanking attack was carried out by “BlackCat ransomware through a previously unknown gateway." Oiltanking did not confirm this.
BlackCat was also responsible for last year’s ransomware attack on the Colonial Pipeline in the U.S., which brought fuel supplies to the US East Coast to a total standstill. BlackCat seems to be linked to Darkside and another ransomware group, BlackMatter. US cyber-experts have indicated that BlackCat is a rebrand of BlackMatter.
While there are no direct links at present between BlackCat/BlackMatter and Moscow, it is hard to ignore the timing. This week, during a Putin news conference, the main focus was on the Ukraine conflict. In Moscow’s view, the crisis over Ukraine is a provocation entirely made in America. Moscow always links Ukraine’s future to the fact that the US may have positioned offensive weapons (land-attack weapons like the Tomahawk missile) near Russia. In a reaction to Putin’s statements, US Deputy National Security Advisor for Cybersecurity and Emerging Technologies Anne Neuberger is at present talking to NATO members on a mission which is "largely focused on how to coordinate a NATO response should Russia again attack parts of the power grid in Ukraine or take out communications in an effort to destabilize the Ukrainian government." A potential cyber-based attack or cyberwarfare approach is clearly on their mind. At present, there is an emphasis on Russian cyber actions against Ukraine, as Ukraine is pressuring NATO members to assist it with cybersecurity. Recently, anti-Russian activists are said to have disrupted Belarusian rail transport. Without any doubt, the German-Dutch-Belgian cyber-attacks could be linked to a possible answer by others. One thing is clear, whatever or whoever is behind the current cyber threats, Moscow has the capability to hit whenever and wherever when it comes to cyberwar.
By Cyril Widdershoven for Oilprice.com