Cyberattacker hits German service station petrol terminal provider
Shell station logistics supplier Oiltanking 'operating with limited capacity'
Two companies owned by Hamburg-based company fuel group Marquard & Bahls are battling cyberattackers, with loading and unloading systems at the German arm of petrol tank terminal provider Oiltanking affected.
The company this afternoon confirmed to The Register that Oiltanking GmbH's terminals – which provide Shell service stations, among others – are "operating with limited capacity" and that Mabanaft GmbH had "declared force majeure for the majority of its inland supply activities in Germany."
Shell has additional providers, however, and said it had "diverted operations to other suppliers to minimise disruption."
Mabanaft describes itself as the "leading independent importer and wholesaler of petroleum products in Germany."
A spokesperson for Oiltanking and Mabenaft told El Reg in a statement:
Upon learning of the incident, we immediately took steps to enhance the security of our systems and processes and launched an investigation into the matter.
We are working to solve this issue according to our contingency plans, as well as to understand the full scope of the incident. We are undertaking a thorough investigation, together with external specialists and are collaborating closely with the relevant authorities.
Marquard & Bahls owns a portfolio that includes three divisions: the larger Oiltanking GmbH Group – which the firm told us "continues to operate all terminals in all global markets"; Skytanking; and the Mabanaft division – which, confusingly, houses Oiltanking Deutschland GmbH – which operates all terminals in Germany and is not part of the Oiltanking GmbH Group.
According to IATA, Skytanking, which supplies on-airport jet fuel, "currently operates at 70 airports in Europe, South Africa and India refueling more than 1.5 million aircraft a year."
Oiltanking told The Reg that the "cyberincident" had only affected the two German companies.
The firms said they were "committed to resolving the issue and minimizing the impact as quickly and effectively as possible. We will be keeping our customers and partners informed and provide updates as soon as more information becomes available."
According to its most recent annual report [PDF], for the year 2020 and filed in May 2021, parent firm Marquard & Bahls had a "satisfactory operational year in 2020", with revenues of €9.183bn and pre-tax earnings of €149m. "Tank storage logistics and energy trading achieved good results, while aviation fuelling suffered a massive revenue collapse due to COVID-related travel restrictions."
The report singled out Germany's "service station business for commercial motor transport" – which was "initially in decline at the start of the pandemic but "gradually recovered in the second quarter."
Big moves last year by M&B's flagship holding, Oiltanking, included flogging off four European liquid storage terminals to Evos in Q4 2021 for an "undisclosed" amount as well as inking a deal with Singaporean authorities in which it became a founding "shareholder" of Singapore Trade Data Exchange (SGTraDex), a public-private partnership "aimed at reshaping the local supply chain ecosystem through digitalization." SGTraDex was expected to launch in "early 2022."
Oiltanking says on its website that it owns and operates 45 terminals in 20 countries in the Americas, Europe, Middle East, Africa, and Asia Pacific including China and India. The company adds that it has an overall storage capacity of more than 18.5 million cubic metres.
As for the German companies, Oiltanking Deutschland GmbH and Mabanaft GmbH invoking "force majeure" – a contractual clause that frees the business from liabilities arising from its obligations to customers – it's unclear what the outcome will be. They will have to demonstrate that the attack is within the scope of their contractual provisions.
We have asked the firms which software and systems were affected. German newspaper Der Speigel reported that because Oiltanking's loading and unloading systems are "essentially automated", the operation of the tanker trucks that supply some of the nation's petrol stations is only possible to a "limited extent manually."
- Hack on Saudi Aramco hit 30,000 workstations, oil firm admits
- UK mulls making MSPs subject to mandatory security standards where they provide critical infrastructure
- USA signs internet freedom and no-hack pact it's ignored since 2018
- Suex to be you: Feds sanction cryptocurrency exchange for handling payments from 8+ ransomware variants
- Unhappy customers and their own tricks used against them, REvil ransomware gang reportedly pulled offline by 'multi-country' operations
Several onlookers have speculated that the attack may be ransomware, although this has not been confirmed.
Around nine months ago, the operators of the Colonial Pipeline – which stretches 5,500 miles between Texas and New York, and can carry up to 3 million barrels of fuel per day – reportedly paid $5m to regain access to their systems after they were struck by ransomware, said to have been the work of the Darkside group.
Charles Carmakal, senior VP at cybersecurity firm Mandiant, which responded to the incident, revealed in an interview a month later that crooks had accessed Colonial Pipeline's network though an old VPN and password believed to have fallen into the wrong hands via the dark web. ®