ASYMMETRICAL CYBER WARFARE
Cyberattack Disrupting Northern European Oil Hubs in Major Ports
Port facilities across northern Europe are all reporting what appears to be a spreading cyberattack targeting the region’s oil operations. After initial reports of disruptions in Germany, reports are now also coming in from the Netherlands and Belgium saying that it is impacting the loading and unloading of barges at a time when the oil market is already strained by winter weather. Local prosecutors in the three countries are investigating while reports indicate the European Union’s policy agency has also offered to support the investigation.
The first instances of what appears to be a sophisticated cyberattack were reported in Germany late last week. Oiltranking Group and Mabanaft discovered they had been a victim of a cyber incident on January 29. The companies reporting taking actions to address the situation and strength their network while investigation the extent of the intrusion. A separate company Oiltanking Deutschland that runs terminals in Germany reported that it was operating on a limited capacity and Mabanaft Deutschland which runs inland terminals also reported that its operations were being impacted. Both Oiltanking Deutschland and Mabanaft Deutschland declares force majeure reporting that they were having problems honoring delivery contracts.
German judicial authorities confirmed that they had launched an investigation into suspected extortion of oil operators. The German newspaper Handelsblatt first reported that the German security services believe the attack began with BlackCat ransomware. The software first appeared late last year and drew attention because of its sophisticated approach and incorporating several so-called innovations versus other ransomware.
After the reports of problems in Hamburg, additional terminals began also reporting outages. Belgian authorities are also investigating after ports in Ghent and Antwerp-Zeebrugge were impacted. Similarly, the authorities in the Netherlands became involved. SEA-Tank, Oiltanking, and Evos in Amsterdam, Ghent and Antwerp are all reporting issues related to their operating systems.
The head of Germany’s IT security agency in a press briefing called the incident serious but said it was not grave believing that it has been contained. The authorities are investigating if it was a coordinated attack on multiple locations or if it spread through the cross-border operations along the Dutch-Belgian oil trading hub.
The unloading of oil barges has become an issue while elsewhere companies have worked to reroute shipments. This week, Shell said it was taking steps to reroute to different supply depots because of the attacks.
The current attack is reminiscent of the May 2021 ransomware incident on the U.S.’s Colonial Pipeline. The pipeline, which is one of the largest and most critical in the U.S. as it feeds much of the East Coast, was disrupted for days.
German Fuel Hack Stretches to Sixth Day
With Distribution Curbed
Bloomberg News Feb 4, 2022
,(Bloomberg) -- A cyberattack targeting fuel storages in Germany and parts of northern Europe stretched into a sixth day with little visibility over when things will get back to normal.
Mabanaft Germany, whose systems were breached, continued to work on resolving the issue on Friday, according to a letter from the company seen by Bloomberg.
The hack left swaths of German fuel depots unable to load onto trucks. Operations at different companies’ terminals have also been disrupted in Belgium that handle a range of fuels, including gas. At least one terminal in Antwerp run by a company that suffered an IT outage is at least partly operating, according to two people with knowledge of the matter.
German authorities said earlier this week the incident was serious “but not grave.” People involved in fuel distribution in Germany said the fuel-supply situation since the hacking has so far been stable. One said there were plenty of alternative routes to market, while others said that high prices and subdued demand have helped to take any pressure off the country’s supply of heating oil.
The hackers behind the German breach appear to be related to the Russian DarkSide ransomware gang, according to Brett Callow, a threat analyst at the cybersecurity firm Emsisoft. DarkSide was accused of the attack on Colonial Pipeline Co. last year, shutting down the largest gasoline pipeline in the U.S. for several days in May.
The hacking has coincided with one of the tightest diesel markets that Europe has seen in years. So-called timespreads for the fuel have surged to the highest since 2008, indicating demand is outpacing supply. The distributors in Germany said that has resulted in slow demand.
Oiltanking Deutschland GmbH, a Mabanaft-linked storage firm whose IT system was also compromised, had about 18 million tons of fuel pass through its depots in 2020. That equates to about 15-20% of the nation’s oil demand, according to data compiled by Bloomberg.
In Germany, a force majeure is in place across distribution and storage assets owned by Mabanaft Group, within which the Oiltanking Deutschland operates. Both firms are owned by Marquard & Bahls.
The disruption left companies like Shell Plc unable to load fuels onto trucks at Oiltanking Deutschland facilities and looking for alternative options. Some barge operators can’t get fuel out of storage onto vessels operating along the Rhine River, a major conduit for supplies from northwest Europe to buyers as far away as Switzerland. Payments were hindered at some German filling stations.
©2022 Bloomberg L.P.
Shell Forced to Reroute Oil Supplies After Cyberattack
A cyber attack on a German oil storage and logistics firm has impacted Shell’s oil supply chain in Germany, where it is rerouting supplies to alternative depots, the supermajor said on Tuesday.
Shell was able to “reroute to alternative supply depots for the time being,” a spokesperson for Shell’s German unit, Shell Deutschland GmbH, said in a statement on Tuesday as carried by Reuters.
A few days ago, oil supply and logistics firms Oiltanking Deutschland GmbH and oil trading firm Mabanaft, both of which are subsidiaries of Hamburg-based group Marquard & Bahls, were victims of a cyberattack that affected their IT systems.
The companies discovered on Saturday the cyber incident and launched an investigation into it with the help of external specialists, Oiltanking Deutschland and Mabanaft said in an emailed statement cited by The Associated Press.
Oiltanking GmbH Group continues to operate all terminals in all global markets, but the German operations of Oiltanking Deutschland GmbH were “operating with limited capacity.”
The companies are working to restore operations to normal as soon as feasible, but in the meantime, the oil logistics and supply chain in Germany has been affected, including oil logistics at the local operations of supermajor Shell.
All systems of loading and unloading tanks operated by Oiltanking Deutschland in Germany are being paralyzed, German business daily Handelsblatt reported on Tuesday.
Oiltanking Deutschland is one of the largest independent providers of tank space for oils, chemicals, and gases worldwide, according to Handelsblatt. Oiltanking Deutschland has 11 tank farm locations in Germany.
The German unit of Mabanaft “has also declared force majeure for the majority of its inland supply activities in Germany,” the statement from the firm cited by AP said. Mabanaft is an importer, wholesaler, and supplier of gasoline, diesel fuel, jet fuel, heating oil, and other petroleum products.
By Charles Kennedy for Oilprice.com
Opinion: Now is the Time to Take Port Cyber Security Seriously
If you think COVID-related supply chain issues at ports are bad, wait until a malicious actor wants to inflict similar chaos on purpose.
Locomotives, airplanes, container ships and bulk freighters, long-haul and short-haul trucks, anything that rolls, flies, or floats. No matter the vehicle, and no matter how it’s powered, chances are a port plays a critical role in beginning or ending its journey. From paying more at the gas pump to finding things from baby formula to cat food, we have witnessed firsthand what happens when the push and pull of supply and demand starts to break down. Ports are dedicated to ensuring that supply meets demand both in terms of finished goods and the raw materials for making them. When they break down, the ripples spread across the entire economy.
At this moment, on the periphery of the crisis unfolding in Ukraine, major bulk fuel suppliers in the ports of Antwerp and Hamburg are experiencing work stoppages because of cyber attacks. Regardless of the motive or responsible party, what occurred this week is an explicit example of how bad actors use attacks such as these to take advantage of a dire situation. While this attack may not have been on our shores, it can directly impact the United States’ and its allies’ ability to operate in the region, as well as apply needless stress on an already taxed economy.
The American Association of Port Authorities (AAPA) highlighted in Congressional testimony the role cyber security plays in securing our ports. AAPA’s President Chris Connor recently emphasized that the dual threats of ransomware and COVID-induced supply and staffing stresses have “revealed what is already a problem…ship and port systems are connected to each other or the internet. A critical attack on any of these systems could have devastating economic consequences or even lead to the loss of life.”
This is not an exaggeration. The efficiency of current global economic systems is due in large part to interconnectedness and advanced analytics, both of which are powered by cyber infrastructure that is now thoroughly enmeshed with traditional port infrastructure. Connor further noted that “the maritime transportation system needs resources to harden their IT systems to prevent attacks and to respond appropriately when an attack does occur.”
The bad news is we have a problem, but the good news is we generally know what we need to address this: more resilient networks combined with better cyber detection and response capabilities.
The exact scope and scale of implementing this solution will differ from port to port, but through financial programs such as the Department of Homeland Security’s Port Security Grant Program and resources from the Office of Maritime Security at the Department of Transportation, the work can and must begin now.
Ports have played a crucial role in America’s growth and role in the world since its founding, but a time has come when these engines of economic and social power might become vulnerable in a crisis. Not all critical infrastructure is equally critical, and ports have the potential to be just as devastating when compromised or degraded as they are constructive when they are operating at their full potential. Malicious cyber actors are noticing that the toxic mix of ransomware, epidemics, and geopolitical instability in places like Ukraine, the South China Sea, or the Persian Gulf can make even simple attacks extremely effective.
It will not matter if our power grid is resilient if it can’t get the coal and natural gas to feed it. It will not matter how secure our smart devices are if they are sitting in shipping containers. It will not matter how cheap gas is if the pipelines that carry it are not functioning. And finally, it will not matter how much money is earmarked for addressing cyber security at ports if it is not spent wisely, and more importantly, before a crisis arrives, and judging by events in Europe, it may already be upon us.
Jason P. Atwell is the Principal Advisor of Global Intelligence at Mandiant, Inc. the global leader in dynamic cyber defense?and response.