Following closely on the heels of incidents with two oil suppliers in Germany, oil terminals in two other European countries have been hit with cyber attacks.
Belgium’s SEA-Invest and the Netherlands’ Evos are both reporting recent cyber attacks that have disrupted operations, collectively impacting port operations throughout Europe and Africa.
Cybersecurity experts are warning that there is no evidence yet that the breaches are coordinated, but there are few details about the attacks available to the public as of yet.
Broader impact on Europe’s fuel supply as attack on oil terminals impact ports
SEA-Invest says that the attack on its oil terminals impacts every port it runs in Europe and Africa. Evos said that impact to its operations were limited to Terneuzen, Ghent and Malta. This creates a greater potential for fuel distribution impact than the late January incident in Germany, which appears to have been quickly mitigated by obtaining fuel from alternate sources and was not expected to extend beyond that country’s borders.
SEA-Invest reports that most of its liquid transportation remains operational as the cyber attack is being mitigated and that it has a backup system it is working to restore from. A spokesperson also said that the company sees no links to the other recent attacks as of yet. The NL Times is reporting that Evos is experiencing slowdowns in the loading and unloading of oil but that all of its Dutch ports remain operational. Europe’s largest cargo port, Riverlake in Rotterdam, has also independently reported that the issue has stopped some oil barges from being unloaded.
The overall impact appears to be a slowing of oil deliveries to retail sources due to difficulties in filling delivery tankers. It is unclear as to how long this will persist as public information about all of the cyber attacks, including the prior incidents in Germany, is still very limited. Ransomware or an attack that maliciously wiped files are safe assumptions given the outcome, but cannot be confirmed as of yet.
Timing of cyber attacks in Europe raises questions about coordinated campaign
The cluster of incidents involving oil terminals and suppliers (paired with current geopolitical conditions) naturally raises suspicions of a coordinated cyber attack campaign, but some security experts are encouraging the public to not jump to conclusions until more facts are available. Some possibilities include a bot-driven malware campaign working from email lists gathered from the European oil industry, or the breach of a particular piece of software that all of these companies use.
The only scrap of information on the perpetrator thus far comes from the Dutch National Cyber Security Centre, which said the attacks on its oil terminals were “probably committed with a criminal motive.” Given current geopolitical tensions, speculation will nevertheless run wild that there is more at work than another criminal campaign similar to the Colonial Pipeline and JBS cyber attacks of last year. Some cybersecurity experts have already posited that the attacks might be linked to China’s advanced persistent threat groups, as they have been observed on a recent campaign targeting private businesses throughout Europe. Others have linked the cyber attacks to Russia’s recent threat to cut off oil supplies to Europe over the Ukraine conflict.
The actual methods of attack are still up in the air as well. The German newspaper Handelsblatt is claiming that BlackCat ransomware is responsible for the earlier attacks there. BlackCat emerged in late 2021 and has rapidly gained popularity as a ransomware-as-a-service provider, utilizing a “triple extortion” approach that adds a distributed denial of service (DDoS) attack to the standard file encryption and doxxing threats. KrebsOnSecurity is reporting that the group may be made up of refugees from recently-dissolved major ransomware players such as DarkSide and REvil. There has not yet been any official linkage of BlackCat to the oil terminals in Belgium and the Netherlands, however.
Another off-the-record report from an anonymous source also implicated the Conti ransomware in all of the cyber attacks. This is an older ransomware strain that dates back to 2020 and targets Windows systems, linked to the Russian “Wizard Spider” ransomware gang that is also known for its use of Ryuk ransomware. Conti is regarded as one of the more dangerous strains of ransomware as it encrypts target files more quickly than usual. This source also says that the attack on SEA-Invest occurred very shortly after the incidents in Germany, about one day later.
The actual nature of the attack on the oil terminals remains up in the air pending official public statements from any of the involved parties, but the incident serves as a reminder that ransomware groups can quickly re-emerge after being broken up and that state-backed actors are always lurking and are showing an increasing tendency to engage civilian targets.