A cyber attack on two German logistics firms used by Shell has forced a temporary reroute to alternative supply depots, and echoes the attack on fuel supplier Colonial Pipeline as another example of cyber criminals directly targeting real-world critical infrastructure.
The identity of the attacker has yet to be confirmed, but there is speculation about the involvement of both Chinese and Russian threat groups. The exact type of cyber attack has also yet to be identified, but the extent of the disruption would indicate ransomware or a malicious malware attack that wiped files.
Cyber attack presents limited threat to German fuel supply
The cyber attack hit two suppliers that are subsidiaries of the Marquard & Bahls logistics group: Oiltanking GmbH, which supplies Shell Deutschland GmbH, and Mabanaft GmbH. It is possible that Marquard & Bahls was the central breach point. The attack came on January 29, with a statement of confirmation coming from the companies on February 1.
Together these fuel suppliers make shipments to about 26 companies, which in turn supply thousands of gas stations and other retail sources; the cyber attack threatens the gas supply of nearly 2,000 German Shell stations alone. The country’s largest gas retailer, Aral, said that its supply to its 2,300 stations is “secure” but that it has turned to alternative sources temporarily.
The fuel suppliers say that IT systems in general were damaged by the cyber attack, but the most pressing problem is the automated tank loading and unloading systems that are completely reliant on impacted computer systems. As James Carder, Chief Security Officer at LogRhythm, points out, this is another illustration of how the breach of just one victim can lead to business disruption for thousands: “This attack on Oiltanking GmbH is a perfect example of how cyberattacks can go beyond just the targeted entity and disrupt the larger supply chain … While the supply of fuel has not been affected in the attack, impact remains consequential with IT systems responsible for the automation of tank loading and unloading processes, something that cannot be done manually, being forced offline for the time being. The 13 tank farms that Oiltanking operates cannot currently serve trucks, so the firm has turned to alternative methods. The economic impact of cyberattacks affecting the greater supply chain can prove to be extremely detrimental. To ensure that crucial organizations, such as fuel suppliers, remain properly up and running with little to no threats to their routine processes, they must make cybersecurity practices top-of-mind.”
Fuel suppliers are saying that the cyber attack does not threaten to cut Germans off from heating or transportation supply in the country, but there could be supply chain disruptions should it take a long time to remediate the damage. The situation naturally calls to mind the Colonial Pipeline attack in the United States in 2021, which caused major retail fuel shortages (primarily at gas stations in a number of southeastern coastal states) for about a week.
That attack was caused by ransomware from a profit-seeking cyber criminal group; it remains unclear who is behind the attack on the German fuel suppliers, what they want or even exactly what sort of damage they did to the systems. Some cyber security experts are speculating that China-backed advanced persistent threat (APT) groups may be involved due to recent activity targeted at various German businesses. Nick Tausek, Security Automation Architect at Swimlane, is inclined to believe that these are the perpetrators: “This cyber attack comes as no surprise after the BfV German domestic intelligent services warned last week of ongoing attacks coordinated by APT27, a Chinese-backed hacking group. While it hasn’t been confirmed that APT27 is behind the attack on Oiltanking, this cyberattack could very well be the work of a state actor looking to cause disruption and economic damage.”
Others point to Russia as a possible perpetrator. Hank Schless, Senior Manager of Security Solutions at Lookout, notes: “The timing of this coincidentally aligns with Russia having threatened to shut off its pipelines into Europe as the crisis in Ukraine continues to be tense for all involved. There isn’t enough information to say who was responsible, but regardless the attackers saw an opportunity to put even more pressure on Germany, which is one of the largest consumers of Russian gas in Europe. This is the perfect example of using a high-pressure situation to create opportunity for malicious cyber activity, which attackers do as often as they can … While we don’t yet have details as to whether this was a ransomware attack, limiting the business continuity of companies like Oiltanking GmbH and Mabanaft is sure to take time to recover from.”
German fuel suppliers reroute to alternate depots to mitigate supply chain issues
Germany’s Federal Office for Information Security has stepped in to offer investigative assistance to the fuel suppliers, but has not released any further information to the public other than characterizing the incident as “serious but not grave.”
Thus far, the slack created by the cyber attack seems to have been adequately picked up by alternate depots. In the meantime, Oiltanking GmbH has declared “force majeure” for its inland fuel business in Germany, allowing it to temporarily excuse itself from contractual obligations due to an extraordinary outside event.
While supply chain disruptions could increase should the recovery from the cyber attack take an unusual amount of time, the fuel suppliers say they do not foresee any issues spilling outside of the borders of Germany.
Critical infrastructure, and more broadly industrial control systems, are becoming a more popular target for criminal gangs. State-backed actors certainly have an interest in things like utilities and the fuel supply of nations, but actually causing damage has been seen as a line too far in most cases; something that could trigger a real world military response. It is still unclear who is behind the attack on German fuel suppliers, but ransomware gangs spent 2021 demonstrating that they are now willing to cross that line in the pursuit of profit (though the consequences can end up being quite dire, as ransomware operator REvil recently found out).
Nation-states have also shown that they will make incursions of this nature on occasion, however, mostly when they are in a position where the target is unable or very unlikely to mount a military response. The present conflict in Ukraine highlights the fact that Russia has been fiddling with that country’s power grid sporadically since 2014. The lines between criminal for-profit gangs and nation-state threat groups have also become increasingly blurred since 2017, as the latter increasingly recruits from and makes use of the tools of the former.
