Cyberattack targets systems at Oiltanking, Mabanaft Group, impacting operations

Two German companies, Oiltanking GmbH Group and Mabanaft Group, said on Tuesday that they had fallen victims to a cyber incident affecting their IT systems. Both companies owned by Hamburg-based company fuel group Marquard & Bahls have been struck by cyber attackers, who have targeted the loading and unloading systems at the German arm of petrol tank terminal provider Oiltanking. The nature of the cyber-attack, the number of affected systems, or if any company data has been compromised is unclear at this point in time.

Oiltanking confirmed to The Register on Tuesday that Oiltanking’s terminals – which provide Shell service stations, among others – are ‘operating with limited capacity’ and that Mabanaft had ‘declared force majeure for the majority of its inland supply activities in Germany.’ Oiltanking and Mabanaft are involved in the storing and supplying of oil and other materials.

“Upon learning of the incident, we immediately took steps to enhance the security of our systems and processes and launched an investigation into the matter,” Oiltanking said in a company statement. “We are working to solve this issue according to our contingency plans, as well as to understand the full scope of the incident. We are undertaking a thorough investigation, together with external specialists and are collaborating closely with the relevant authorities,” it added.

Oiltanking and Mabanaft identified on Saturday a ‘cyber incident affecting our IT systems’ and launched an investigation together with external specialists, the companies said in an emailed statement to the Associated Press. They did not elaborate on the nature of the incident or address who might be responsible, and said they are working to understand its ‘full scope.’

The head of Germany’s IT security agency, Arne Schoenbohm, said at a conference on Tuesday that the incident was serious ‘but not grave,’ German news agency dpa reported.

Schoenbohm said that 233 filling stations largely in northern Germany had been affected, only 1.7 percent of the country’s total. He said that it wasn’t possible at some of those stations to pay by credit card or adjust prices, but that in some cases it was possible to pay using cash.

Oiltanking, a major part of the €14 billion Marquard & Bahls group, operates 47 tank terminals in 21 countries with a total capacity of 18.5 million cubic meters. Its 13 petrol storage facilities in Germany supply Shell petrol stations in the country, along with other small and medium-sized petrol station firms. 

While there is a lot of discussion around ICS/OT security, the reality is that most operations are disrupted by compromises and attacks that begin within IT, Saryu Nayyar, CEO and founder at Gurucul, said in an emailed statement. “While the devices and systems themselves may run on hardened or proprietary operating systems and architectures, the management of these devices often do not, leaving them susceptible to a malware or ransomware attack,” she added. 

This shows how critical it is to invest in more advanced threat detection and response solutions that can enable automation with higher confidence and lower impact to help security teams prevent disruption and the detonation of ransomware, Nayyar added.

On Tuesday, Royal Dutch Shell said it was forced to reroute to different supply depots because of the issue. 

The latest cyberattack on Oiltanking and Mabanaft’s IT systems comes around nine months after a cybersecurity incident led to operations at Colonial Pipeline shutting down after it was stuck by DarkSide ransomware attackers. The fuel pipeline company is reported to have paid close to nearly $5 million as ransom to the DarkSide ransomware attackers. 

The use of cyberattacks for achieving nation-state or criminal gang aims continues to increase, Saumitra Das, CTO and co-founder, Blue Hexagon, wrote in an emailed statement. “This is reminiscent of the Colonial Pipeline attack where cyberattacks on critical infrastructure companies, even if on the IT side, can lead to issues in critical infrastructure. Attackers do not always have to infiltrate OT systems, bringing down the IT side of the house can cause enough disruption to achieve their end goals – whether that is a ransom payment or a geopolitical,” he added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.