German Petrol Company Oiltanking Suffers Cyberattack

Oiltanking GmbH, a German petrol distributor who supplies Shell gas stations in the country, has fallen victim to a cyberattack that severely impacted its operations.

Additionally, the attack has also affected Mabanaft GmbH, an oil supplier. Both entities are subsidiaries of the Marquard & Bahls group, which may have been the breach point.

Below are some comments from cybersecurity experts. 

Experts Comments

February 03, 2022
René Golembewski
Director, Technical Solutions Engineering
Tanium

Although the company is currently working to determine the exact extent of the attack and minimise the damage, it looks as if it has been the victim of a ransomware attack.

This type of attack on companies uses vulnerabilities in the IT infrastructure as a gateway to first scan the entire company network. Only when sufficient data and information have been compromised by the hackers does the intruder, who has often remained undetected until then, reveal themselves. Then the internal systems are

.....Read More

Although the company is currently working to determine the exact extent of the attack and minimise the damage, it looks as if it has been the victim of a ransomware attack.

This type of attack on companies uses vulnerabilities in the IT infrastructure as a gateway to first scan the entire company network. Only when sufficient data and information have been compromised by the hackers does the intruder, who has often remained undetected until then, reveal themselves. Then the internal systems are completely hijacked and paralysed by malware. In exchange for money, the affected company is then usually provided with a key to regain control.

But what makes this latest attack so explosive is the fact that hackers specifically targeted a company whose operations are critical to the economic infrastructure – meaning it can impact the entire, complex supply chain.

This type of attack repeatedly highlights how important it is for companies to have an overview of their entire IT environment. After all, with the right tools, an attacker can be found on the network before they make their presence felt using malware. This is where a centrally manageable and automated endpoint management solution is of great benefit, as it allows not only full visibility of all the endpoints, but also full control over them. Vulnerabilities and security gaps can thus be detected quickly and in real time using reliable endpoint data. In this way, the likelihood of a successful cyber-attack can be prevented and its impact significantly minimised. After all, a company can only adequately secure and protect its networks by having an all-encompassing overview.

  Read Less
February 02, 2022
Jon Andrews
VP of EMEA
Gurucul

After Germany recently announced it would be placing Nord Stream 2 on hold with the rising tensions on the Ukraine/Russia border believed to be the reason, the timing of this is very interesting. Energy companies have become a more viable target for attacks due to the multiple points of entry and disparate systems that can be the norm, over large corporations in the industry. As these types of companies move to the cloud, they need to continuously ask themselves "what am I protecting" to

.....Read More

After Germany recently announced it would be placing Nord Stream 2 on hold with the rising tensions on the Ukraine/Russia border believed to be the reason, the timing of this is very interesting. Energy companies have become a more viable target for attacks due to the multiple points of entry and disparate systems that can be the norm, over large corporations in the industry. As these types of companies move to the cloud, they need to continuously ask themselves "what am I protecting" to ensure they are one step ahead of bad actors in protecting what is important to them, in this case oil tanker terminals across one of the largest countries in the EU.

  Read Less
February 02, 2022
Stanislav Sivak
Associate Managing Software Security Consultant
Synopsys Software Integrity Group

While there isn’t much information available on the motivation, impact, and attack vector so far, it is interesting to see that even some not so publicly known organisations such as petrol distributors are getting attention from cyber-attackers nowadays. Then again, this is the case for all critical infrastructure elements – you don’t notice they exist, until they don’t. This is a perfect example of how software risk equates to business risk. Fortunately, in this instance, either due

.....Read More

While there isn’t much information available on the motivation, impact, and attack vector so far, it is interesting to see that even some not so publicly known organisations such as petrol distributors are getting attention from cyber-attackers nowadays. Then again, this is the case for all critical infrastructure elements – you don’t notice they exist, until they don’t. This is a perfect example of how software risk equates to business risk. Fortunately, in this instance, either due to other compensating controls or the breadth of the attack, the impact is limited to a partial Denial-of-Service and it seems that no data breach has occurred. Some informational sources on the Internet indicate that a ransomware attack could be the root incident. Having alternative independent operational options, such as paying by cash rather than by card, proves to be a good temporary solution. However, an up-to-date and simulated disaster recovery plan will help restore the necessary level of operations and prioritise next steps.

  Read Less
February 02, 2022
Debrup Ghosh
Senior Product Manager
Synopsys Software Integrity Group

This attack once again illustrates that today every company is a software company. Colonial Pipeline was perhaps just the start of a rather disturbing trend of cyberattacks on organizations tied to critical infrastructure. As a result, these companies need to invest in software supply chain risk management strategies to mitigate business risks posed by the recent exponential rise in malicious attacks.

With the close adjacency between logistics and energy industries, both critical to national

.....Read More

This attack once again illustrates that today every company is a software company. Colonial Pipeline was perhaps just the start of a rather disturbing trend of cyberattacks on organizations tied to critical infrastructure. As a result, these companies need to invest in software supply chain risk management strategies to mitigate business risks posed by the recent exponential rise in malicious attacks.

With the close adjacency between logistics and energy industries, both critical to national security, every CISO today in Transportation, Logistics and Supply Chain related companies should be asking their vendors for an extensive software Bill of Materials to build appropriate controls as part of their overall risk management strategy to satisfy regulatory, compliance and insurance requirements.

  Read Less
February 03, 2022
Matt Aldridge
Principal Solutions Architect
Webroot

The oil and gas industry is a high-value and lucrative industry and so naturally one that cybercriminals are keen to target. This attack demonstrates that criminals aren’t slowing down when it comes to targeting critical infrastructure and serves as a reminder that organisations in this sector have a huge responsibility to keep private information secure.

Although the cause of the hack is yet unclear, organisations can limit the impact of these attacks by ensuring they have clearly defined

.....Read More

The oil and gas industry is a high-value and lucrative industry and so naturally one that cybercriminals are keen to target. This attack demonstrates that criminals aren’t slowing down when it comes to targeting critical infrastructure and serves as a reminder that organisations in this sector have a huge responsibility to keep private information secure.

Although the cause of the hack is yet unclear, organisations can limit the impact of these attacks by ensuring they have clearly defined cybersecurity policies and procedures in place. With risky employee IT behaviours frequently causing security compromises, this starts with employee education – which underscores all effective cyber resilience and data protection strategies.

Security awareness training programmes can now inform and test employees on the latest threats in real-time, including information security, social engineering, malware, and industry-specific compliance topics. Along with comprehensive best practice guides, organisations can use these tactics to improve employee vigilance and defend endpoints from attacks in the future.

  Read Less
February 03, 2022
Jake Moore
Cybersecurity Specialist
ESET

The BlackCat ransomware and the ALPHV hacker group behind it were practically unknown until the end of 2021, but according to our estimates the group is currently building a franchise model and recruiting members of other groups such as REvil, Blackmatter or Darkside.  

BlackCat cleverly allows the attacker to customise the attack to certain employees and choose what to shut down, as well as being able to learn how to move across into other parts of the network. These customizable tactics make

.....Read More

The BlackCat ransomware and the ALPHV hacker group behind it were practically unknown until the end of 2021, but according to our estimates the group is currently building a franchise model and recruiting members of other groups such as REvil, Blackmatter or Darkside.  

BlackCat cleverly allows the attacker to customise the attack to certain employees and choose what to shut down, as well as being able to learn how to move across into other parts of the network. These customizable tactics make it extremely effective in an attack and difficult to shut down. BlackCat operators are known to perform not only the standard encryption technique and data extraction, but also to include the added threat of a DDoS as well. 

This extremely sophisticated ransomware attack shows once again how important medium-sized companies can be for critical infrastructure. The fact that the malicious code used has already been known since November makes it clear how much there is still to catch up on in terms of IT security.

  Read Less
February 02, 2022
Piers Wilson
Head of Product Management
Huntsman Security

Given the potential fragility of the fuel supply chain – as highlighted by recent shortages in the UK– disruptive cyberattacks can cause widespread disruption for consumers and businesses. Although the details and longer term impact of attack on Oiltanking and its parent company are unclear, it’s vital that other organisations take effective steps to ensure they aren’t the next victims of a successful breach. 

Alongside the use of the latest cyber defence technologies, businesses must also

.....Read More

Given the potential fragility of the fuel supply chain – as highlighted by recent shortages in the UK– disruptive cyberattacks can cause widespread disruption for consumers and businesses. Although the details and longer term impact of attack on Oiltanking and its parent company are unclear, it’s vital that other organisations take effective steps to ensure they aren’t the next victims of a successful breach. 

Alongside the use of the latest cyber defence technologies, businesses must also frequently assess the level of risk they face from attacks. For instance, there’s little point in having the latest antivirus updates if your systems aren’t patched regularly or you have misconfigured admin accounts and unsupported software versions. Equally, staff must be trained on what to look out for when it comes to phishing e-mails. 

However, securing your own network is only a partial solution if your suppliers aren’t doing the same. As we’ve seen recently in the US and elsewhere, attacks originating from other organisations are becoming more common as are those which might not actually spread, but take a supplier you rely on off-line.

Regularly assessing or monitoring your own, as well as partners’ and suppliers’ cybersecurity practices is critical. With luck the attack on Oiltanking won’t see widespread disruption in Germany, but it must be seen as a wake-up call to organisations that still aren’t 100% confident in their own and their partners’ cyber defences.

  Read Less
February 02, 2022
Dr. George Papamargaritis
MSS Director
Obrela Security Industries

It is these types of cyberattacks on supposedly unknown companies that have a major impact on the entire supply chain of a critical infrastructure of a whole country. Cyber attackers are well aware of this and therefore choose targets that are simpler and easier to attack from their perspective. The effect can be the same as an attack on a major brand. This attack is very critical in that the supply chain for fuel, heating, and motor fuels can potentially be compromised. Cyber risks are a

.....Read More

It is these types of cyberattacks on supposedly unknown companies that have a major impact on the entire supply chain of a critical infrastructure of a whole country. Cyber attackers are well aware of this and therefore choose targets that are simpler and easier to attack from their perspective. The effect can be the same as an attack on a major brand. This attack is very critical in that the supply chain for fuel, heating, and motor fuels can potentially be compromised. Cyber risks are a serious threat and cannot be neglected.

  Read Less
February 02, 2022
Hank Schless
Senior Manager, Security Solutions
Lookout

The timing of this coincidentally aligns with Russia having threatened to shut off its pipelines into Europe as the crisis in Ukraine continues to be tense for all involved. There isn’t enough information to say who was responsible, but regardless the attackers saw an opportunity to put even more pressure on Germany, which is one of the largest consumers of Russian gas in Europe. This is the perfect example of using a high-pressure situation to create opportunity for malicious cyber

.....Read More

The timing of this coincidentally aligns with Russia having threatened to shut off its pipelines into Europe as the crisis in Ukraine continues to be tense for all involved. There isn’t enough information to say who was responsible, but regardless the attackers saw an opportunity to put even more pressure on Germany, which is one of the largest consumers of Russian gas in Europe. This is the perfect example of using a high-pressure situation to create opportunity for malicious cyber activity, which attackers do as often as they can.

Last year with the Colonial Pipeline ransomware attack in the United States, the world saw how disruptive a cyberattack on critical infrastructure can be. While we don’t yet have details as to whether this was a ransomware attack, limiting the business continuity of companies like Oiltanking GmbH and Mabanaft is sure to take time to recover from. It typically costs organizations between $750,000 and $1.85M USD to recover from a significant ransomware attack, which doesn’t even include the cost of lost business due to the incident. 

These attacks typically start with either compromised corporate credentials, malware being delivered to users via corporate email or collaboration platforms, or a vulnerable server or app being exploited. Corporate credentials are typically stolen via phishing, which is even more effective if the attacker can socially engineer the target over a personal channel like SMS, social media, or a third-party chat app. Malware delivery is becoming a more dated tactic with the effectiveness of inbound email security solutions such as secure email gateway (SEG), but it’s still used by attackers to gain their initial foothold directly in corporate infrastructure. Vulnerable apps and servers can be exploited by attackers - especially if they’re older assets that IT teams no longer have visibility into. It’s critical to mask the presence of web-enabled on-premises assets with a zero trust network access (ZTNA) solution. The best thing these companies can do right now is allocate every resource at their disposal to getting operations back online - both for the good of themselves and their customers.

  Read Less
February 02, 2022
Greg Day
VP & CSO, EMEA
Palo Alto Networks

Fuel prices continue to rise, in part because of supply chain complexities, Covid and world affairs. Today's confirmed cyberattacks on German oil suppliers Oiltanking GmbH Group and Mabanaft Group seem fortuitous to say the least. It's promising to see that their systems were segmented as only subsidiaries have been impacted. At this stage, what is most important is how quickly Oiltanking GmbH and Mabanaft recover and return to 100 percent operational capacity. That means understanding what and

.....Read More

Fuel prices continue to rise, in part because of supply chain complexities, Covid and world affairs. Today's confirmed cyberattacks on German oil suppliers Oiltanking GmbH Group and Mabanaft Group seem fortuitous to say the least. It's promising to see that their systems were segmented as only subsidiaries have been impacted. At this stage, what is most important is how quickly Oiltanking GmbH and Mabanaft recover and return to 100 percent operational capacity. That means understanding what and how to ensure another attack isn't repeated. Too often, organisations pay a ransom and get hit a second time. In fact, Cybereason found that 80 percent of organisations that participated in a global ransomware study that paid a ransom in 2021 were hit a second time. Organisations with rich data that spans across all the systems that were compromised and others that could have been impacted by those compromised systems have an advantage in the fight against ransomware gangs. All too often we see businesses struggling to maintain forensic data and/or they lack the internal skill set and capabilities to correlate data into tangible actions required to provide businesses with digital operational resilience that will put an end to the ransomware scourge.

  Read Less
February 02, 2022
Saryu Nayyar
CEO
Gurucul

While there is a lot of discussion around ICS/OT security, the reality is that most operations are disrupted by compromises and attacks that begin within IT. While the devices and systems themselves may run on hardened or proprietary operating systems and architectures, the management of these devices often do not, leaving them susceptible to a malware or ransomware attack. This shows how critical it is to invest in more advanced threat detection and response solutions that can enable

.....Read More

While there is a lot of discussion around ICS/OT security, the reality is that most operations are disrupted by compromises and attacks that begin within IT. While the devices and systems themselves may run on hardened or proprietary operating systems and architectures, the management of these devices often do not, leaving them susceptible to a malware or ransomware attack. This shows how critical it is to invest in more advanced threat detection and response solutions that can enable automation with higher confidence and lower impact to help security teams prevent disruption and the detonation of ransomware.

  Read Less
February 02, 2022
Andy Norton
European Cyber Risk Officer
Armis

For decades, ICS cybersecurity simply didn’t exist because it didn’t need to. Operational technology and information technology were separate domains with separate systems that didn’t connect to each other, and legacy industrial devices didn’t connect independently to the internet or to each other. This disconnection—the so-called “air gap”—was thought to be all the security that OT systems needed, aside from physical access control.

Now, though, IT/OT integration is becoming the norm.

.....Read More

For decades, ICS cybersecurity simply didn’t exist because it didn’t need to. Operational technology and information technology were separate domains with separate systems that didn’t connect to each other, and legacy industrial devices didn’t connect independently to the internet or to each other. This disconnection—the so-called “air gap”—was thought to be all the security that OT systems needed, aside from physical access control.

Now, though, IT/OT integration is becoming the norm. Connected devices stream data, monitor equipment and processes, and support line automation and other Industry 4.0 functions, so the air gap is no longer a reliable method of OT security. As OT and IT continue to merge, cybersecurity requirements now apply to ICS just as much as to corporate networks, but many organisations struggle to find the right approach to protect their operational technology. 

For example, many operation managers are concerned about downtime and the impact of implementing more security for their OT, IIoT, and other ICS devices. That’s understandable because legacy solutions that are built to scan IT networks can knock these devices offline or cause them to malfunction—if the scan can detect them at all. 

Facilities that can’t operate securely are at risk of going offline at any moment. A ransomware attack on an ICS facility can halt operations and leak operational and corporate data to the dark web—or destroy that data altogether.

Fortunately, organisations no longer have to choose between predictable uptime and ICS cybersecurity. A non-disruptive solution for quickly identifying and continuously monitoring OT and ICS devices is required and the risks of delaying implementation of OT security are too big to ignore as these sorts of occurrences keep evidencing. 

  Read Less
February 02, 2022
Gary Kinghorn
Marketing Director
Tempered Networks

It’s too early to know who is behind this attack or exactly what was intended, but it’s another reminder that oil and gas operators must be prepared.  As IT and OT worlds converge and cyber criminals take aim at higher value industrial and critical infrastructure targets, energy operators should assume that even an IT breach will have impacts on their operational processes.  That means building stronger defenses combined with a plan for extra resiliency in scenarios where threat actors

.....Read More

It’s too early to know who is behind this attack or exactly what was intended, but it’s another reminder that oil and gas operators must be prepared.  As IT and OT worlds converge and cyber criminals take aim at higher value industrial and critical infrastructure targets, energy operators should assume that even an IT breach will have impacts on their operational processes.  That means building stronger defenses combined with a plan for extra resiliency in scenarios where threat actors are still able to get in.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.