Cyber attacks on European oil facilities spreading

A sequence of cyber attacks targeting oil distribution terminals and other facilities in Europe has authorities on excessive alert, given rising gas costs and the specter of provide disruption ought to the political disaster in Ukraine escalate into battle.

The first incident to come back to gentle happened at two German oil corporations, OilTanking and Mabanaft, which function beneath the identical Hamburg-based father or mother, Marquard & Bahls, a logistics specialist. This ongoing assault, which, it has emerged, may be very doubtless the work of the BlackCat ransomware group, has had a small affect on retail gas provides in Germany.

It is now rising {that a} sequence of different attacks are additionally happening, hitting oil terminals belonging to varied organisations working on the ports of Antwerp and Ghent in Belgium, and Amsterdam and Terneuzen within the Netherlands. These facilities are operated by logistics and delivery organisations SEA-tank – a part of the bigger SEA-invest group – and Evos, to which OilTanking offered quite a lot of facilities final 12 months, in addition to OilTanking itself.

The incidents are primarily affecting the loading and unloading of cargo on the impacted facilities, and it may be anticipated that ought to regular operations not resume quickly, these impacts will unfold into the delivery and logistics sector.

Computer Weekly understands that the Belgian authorities and the Dutch National Cyber Security Centre are investigating the incidents, and are being supported by Europol.

Dominic Trott, UK product supervisor at Orange Cyberdefense, commented: “Critical nationwide infrastructure [CNI] is turning into an more and more well-liked goal for malicious actors because of the devastating impacts downtime and delays on this sector can have. You solely must look again eventually 12 months’s gas disaster or the attack on US supplier Colonial Pipeline to see this in motion.

“In this attack, the impacts have already spread far further than the three countries where these businesses are based, with the connected nature of the global supply chains resulting in ports in Africa and across Europe more widely also being affected.”

Although it’s far too early in any investigation to essentially draw hyperlinks between this sequence of incidents, quite a lot of attainable eventualities could also be unfolding, of which essentially the most impactful would clearly be a hyperlink to the Ukraine disaster. Armed battle in Ukraine would doubtless affect provides of fossil fuels from Russia into Europe and it’s actually attainable this may very well be some type of advance operation.

Ian Bramson, a specialist in industrial cyber safety in danger consultancy ABS Group, reiterated that at this stage, the attacks can’t be attributed to any uncategorised or identified superior persistent risk (APT) teams backed by Russia. “However,” he stated, “these attacks are in line with the tactics and techniques Russia has used in the past. Historically, when the Russian agenda is compromised, cyber attacks arise, impacting Europe’s gas and oil supply.”

Equally attainable, and maybe extra doubtless given the attainable involvement of the BlackCat ransomware group, which has hyperlinks to the likes of REvil, is that the incidents are linked by way of a compromised piece of software program utilized by all of the victims – a basic provide chain assault akin to that perpetrated by REvil on Kaseya.

What is evident is that organisations termed as CNI, which incorporates the distribution of gas provides, are uniformly at excessive threat. Indeed, analysis carried out by Bridewell Consulting means that 86% of CNI organisations have detected cyber attacks on their operational know-how (OT) or industrial management programs (ICS) prior to now 12 months, with 93% of these saying no less than a type of makes an attempt had bought by way of.

Concerningly, the analysis additionally instructed a level of misplaced confidence, with clear majorities saying they had been assured their OT programs had been totally protected. Bridewell stated there was proof of reliance on ageing legacy infrastructure, and an excessive amount of belief being positioned in suppliers.

“Security vulnerabilities, while challenging to remediate within some CNI organisations, could have serious implications, not just in terms of substantial monetary fines but also risks to public safety and even loss of life, so organisations simply cannot afford to be complacent,” stated Bridewell co-CEO Scott Nicholson.

“Legislation like the NIS Directive and NIS Regulations has certainly helped to improve cyber security in the sector, but there is still room for improvement.”