In recent weeks, a series of ransomware attacks on major European oil port terminals has affected oil supply logistics across the Europe..
The attacks disrupted IT systems at a number of port oil terminal operators, including Oil tanking and Mabanaft in Germany, SEA-Invest in Belgium and Evos in the Netherlands. In total, dozens of terminals with oil storage and transport around the world have been affected. Researchers have yet not found proof that the attacks were coordinated, although suspicions remain that they were.
The incidents mainly affected the loading and unloading of oil cargo at the impacted facilities, in some cases by over a week. As of today, all affected companies’ operations have since been restored to normal.
Multiple sources, including the German Federal Office for Information Security (BSI), have identified the BlackCat ransomware as the tool used in the cyberattacks. According to some cyber experts BlackCat gang is a rebranding of the BlackMatter, which was itself a rebrand of the Darkside ransomware which was responsible for the Colonial Pipeline attack in May 2021. Also, according to German newspaper Handelsblatt, who got access to the report, the Oil tanking attack “was carried out through a previously unknown gateway”.
Behind the news
It’s difficult to ignore the timing of these attacks and their targets. The geopolitical situation and the uncertainty in the European and global energy markets, caused by the political and military tension between Russia and Ukraine, is hitting new heights.
This situation caused high-rocketing gas prices as more than 1/3 of European gas supply is coming from Russian and US and Western European nations are taking pro-Ukranian position during this conflict. Although not declaring it explicitly, but the estimates are that Russia will stop the flow of gas through Ukraine to Europe during armed conflict, and that will have significant impact on European energy market as the Nord Stream 2 pipeline from Russia to Germany is still not certified for usage by German side. In reaction, the US has been sending multiple LNG tankers to stabilize supply and prices as well as pacify their European allies.
In this climate, any disruption in gas supply to European households may cause prices to skyrocket even more, raising concerns for political and economic instability. The hackers’ hope, in these attacks, was that the affected companies would be willing to pay more in ransom – and faster – to avoid any business disruptions.
As for the ransomware gang itself, this ransomware thread raised up few months ago and already is taking a leading position. According to great analysis by Palo-Alto Networks Unit 42, most of its victims are in US (above 40%) and European countries (also above 40%), and in multiple verticals such as transportation, engineering, telecom, pharms and others.
An analysis published by Symantec shows that hackers are using multiple tactics for exploitation, persistence, and lateral movement in the victim network , like using PsExec to deploy malware, running PowerShell commands, targeting RDP credentials and more.
One of the factors that probably benefited the attackers in these incidents was the insufficient cyber-security measures at enterprise access machines. The mentioned access “through unknown gateway” can point out to limited asset and network visibility in respective enterprise and operational networks. In general, many European and American ports, oil & gas storage facilities, pipelines, and other infrastructure, operate a myriad of vulnerable legacy systems. The US DHS Transportation Security Administration has also operated to strengthen cybersecurity across regulated infrastructure.
Finally, in 2022 we will probably see more cyber incidents carried out by cyber-criminal groups which will continue to leverage complicated geo-political situations. Moreover, an additional “warning light” was provided by joint US-UK-Australia advisory published only 2 days ago in its statement: “Although most ransomware incidents against critical infrastructure affect business information and technology systems, the FBI observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes”.
Mitigating ransomware attacks
Ransomware attacks of the type that impacted the European oil facilities can be mitigated. Performing regular cyber security risk assessments, gaining network visibility and incident response planning will allow to set guidelines and security priorities for detection and combatting ransomware.
Radiflow has published a list of useful guidelines for mitigating ransomware in OT environments and setting up multiple lines of defense, from network separation and threat detection to securing the backup system (for restoring the hacked network in case of a successful attack) and using risk assessment & management to optimize companies’ cyber-security expenditure by prioritizing the protection of critical assets and installing security measures corresponding to the most impactful and immanent threats.