Cyberattacks continue to extend across Europe, BlackCat ransomware may be involved

Cyberattacks have continued to affect oil transport and storage companies across Europe. At the same time, authorities say that large-scale cyberattacks have also targeted port facilities in Belgium, Germany, and the Netherlands. IT systems have been disrupted at SEA-Invest in Belgium and Evos in the Netherlands, while unconfirmed reports suggest that BlackCat ransomware may have compromised systems at Oiltanking GmbH Group and Mabanaft Group in Germany.

Despite these cyberattacks, cybersecurity officials from the affected countries said on Thursday that they do not have reason to believe that the attacks are linked to one another.

One European government official who is involved in the investigation but is not authorized to speak about it publicly told The Record that the port incidents are ransomware attacks believed to be linked to the BlackCat and Conti ransomware families. 

“A judicial investigation is ongoing at the public prosecutor’s office in Antwerp. Attribution of such a cyberattack is, as you know, very difficult and it is now far too early for that. We have no technical indications that the attacks are linked,” Katrien Eggers, a spokesperson for the Centre for Cyber Security Belgium, the country’s central authority for cybersecurity.

The Netherlands’ National Cyber Security Center said in a statement that it does not believe the attacks targeting the oil and chemical sector in the Netherlands, Belgium, and Germany to be related. It also added that the cyberattacks do not appear to be linked to nation-state hackers.

“The NCSC’s view is that at the moment there does not seem to be a coordinated attack and that the attacks were probably committed with a criminal motive. The NCSC is closely monitoring developments and will take further action if necessary.”

A Deutsche Welle report said that Belgian authorities had opened an investigation into a cyberattack against at least two energy companies based in the port cities of Antwerp and Ghent, an official said on Thursday. The cyberattack has affected SEA-Invest terminals, including the company’s largest in Antwerp, called SEA-Tank.

“An investigation by the Federal Computer Crime Unit has started,” said Kristof Aerts, an official at the public prosecutor’s office in Antwerp — Europe’s second-largest port.

The BBC reported that a SEA-Invest spokeswoman​​​​ said they were hit on Sunday with every port they run in Europe and Africa affected. The company is getting a backup IT system online but says that most liquid transportation is operational. The spokeswoman said SEA-Invest is aware of the cyberattacks against other companies, but investigations have not determined if there is a link, the report added.

Prosecutors in the German port city of Hamburg also launched an investigation on Wednesday after two companies, Oiltanking and Mabanaft, were hit by a possible ransomware strike. The companies confirmed earlier this week that they had fallen victims to a cyber incident affecting their IT systems. 

In addition, Oiltanking had confirmed on Tuesday that its terminals – which provide Shell service stations, among others – were ‘operating with limited capacity’ and that Mabanaft had ‘declared force majeure for the majority of its inland supply activities in Germany.’ Oiltanking and Mabanaft are involved in storing and supplying oil and other materials.

German newspaper Handelsblatt managed to obtain the internal report that said Oiltanking’s ‘systems were compromised by the BlackCat ransomware through a previously unknown gateway.’ However, the company has not confirmed that BlackCat was behind the attack but said they discovered the initial cyber incident on Saturday, Jan. 29.

The BlackCat ransomware group surfaced in mid-November 2021 and gained notoriety for its sophistication and innovation, Palo Alto Networks’ Unit42 division pointed out in its recent threat assessment. Operating a ransomware-as-a-service (RaaS) business model and written in the Russian language, BlackCat has taken an aggressive approach to name and shaming victims, listing more than a dozen on their leak site in a little over a month. 

The most significant number of the group’s victims so far are U.S. organizations, but BlackCat and its affiliates have also attacked organizations in Europe, the Philippines, and other locations, Unit42 said. Victims are spread across various verticals, including construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and pharmaceuticals, it added.

A spokesperson for Evos in the Netherlands told the BBC that IT services at terminals in Terneuzen, Ghent, and Malta have ‘caused some delays in execution.’

According to the Dutch website Marketscreener, at least six oil storage terminals in the Amsterdam-Rotterdam-Antwerp (ARA) refining hub are having difficulty loading and unloading refined product cargoes, owing to a cyberattack on European oil terminals that began on Jan. 29.

“The affected terminals are operated by SEA-Tank, Oiltanking and Evos in Antwerp, Ghent, Amsterdam and Terneuzen. This adds to the 11 Oiltanking sites affected in Germany. Only one of Evos’ two terminals in Amsterdam appears to have been affected, most likely the one now called Amsterdam East that it bought from Oiltanking last year,” the report added.

Cyberattackers have also targeted popular British savory snacks maker Kenyon Produce (KP) Snacks. The company became aware last Friday that it was the victim of a ransomware attack when hackers gained access to a network and held data hostage. The cyberattack has led to supply chain disruption around the U.K., with some reports stating that the supply shortage issues can last until the end of March.

The KP Snacks ransomware attack is yet another reminder of the need for strong security protocols as organizations’ IT and OT networks continue to converge,” Marty Edwards, vice president of OT Security at Tenable, wrote in an emailed statement. “Most ransomware attacks exploit a lack of cyber hygiene, and threat actors are waiting to take advantage. Organisations must protect themselves by doing the basics well — beginning with having complete visibility into all assets, including cloud, IT, and OT.” 

It is only a matter of time before these typically IT-oriented attacks begin to more dramatically impact OT systems directly and more organizations fall victim, Edwards added.

These cyberattacks on critical infrastructure installations come as energy prices continue to rise, putting pressure on consumers amid tensions between western countries and Russia.

Last month, the Microsoft Threat Intelligence Center (MSTIC) said that it had identified evidence of a destructive malware operation targeting multiple organizations in Ukraine, which first appeared on victim systems in Ukraine on Jan. 13. The large-scale cyberattack brought down several Ukrainian government and ministries websites, including the ministry of foreign affairs and the education ministry.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.