German Petrol Company Oiltanking Suffers Cyberattack


ISBuzz Staff | »

Oiltanking GmbH, a German petrol distributor who supplies Shell gas stations in the country, has fallen victim to a cyberattack that severely impacted its operations.

Additionally, the attack has also affected Mabanaft GmbH, an oil supplier. Both entities are subsidiaries of the Marquard & Bahls group, which may have been the breach point.

Below are some comments from cybersecurity experts.

Saryu Nayyar

| February 02, 2022

Saryu Nayyar, CEO, Gurucul

While there is a lot of discussion around ICS/OT security, the reality is that most operations are disrupted by compromises and attacks that begin within IT. While the devices and systems themselves may run on hardened or proprietary operating systems and architectures, the management of these devices often do not, leaving them susceptible to a malware or ransomware attack. This shows how critical it is to invest in more advanced threat detection and response solutions that can enable automation with higher confidence and lower impact to help security teams prevent disruption and the detonation of ransomware.


Jon Andrews

| February 02, 2022

Jon Andrews, VP of EMEA, Gurucul

After Germany recently announced it would be placing Nord Stream 2 on hold with the rising tensions on the Ukraine/Russia border believed to be the reason, the timing of this is very interesting. Energy companies have become a more viable target for attacks due to the multiple points of entry and disparate systems that can be the norm, over large corporations in the industry. As these types of companies move to the cloud, they need to continuously ask themselves “what am I protecting” to ensure they are one step ahead of bad actors in protecting what is important to them, in this case oil tanker terminals across one of the largest countries in the EU.


| February 02, 2022

Stanislav Sivak, Associate Managing Software Security Consultant, Synopsys Software Integrity Group

While there isn’t much information available on the motivation, impact, and attack vector so far, it is interesting to see that even some not so publicly known organisations such as petrol distributors are getting attention from cyber-attackers nowadays. Then again, this is the case for all critical infrastructure elements – you don’t notice they exist, until they don’t. This is a perfect example of how software risk equates to business risk. Fortunately, in this instance, either due to other compensating controls or the breadth of the attack, the impact is limited to a partial Denial-of-Service and it seems that no data breach has occurred. Some informational sources on the Internet indicate that a ransomware attack could be the root incident. Having alternative independent operational options, such as paying by cash rather than by card, proves to be a good temporary solution. However, an up-to-date and simulated disaster recovery plan will help restore the necessary level of operations and prioritise next steps.


| February 02, 2022

Debrup Ghosh, Senior Product Manager, Synopsys Software Integrity Group

This attack once again illustrates that today every company is a software company. Colonial Pipeline was perhaps just the start of a rather disturbing trend of cyberattacks on organizations tied to critical infrastructure. As a result, these companies need to invest in software supply chain risk management strategies to mitigate business risks posed by the recent exponential rise in malicious attacks.

With the close adjacency between logistics and energy industries, both critical to national security, every CISO today in Transportation, Logistics and Supply Chain related companies should be asking their vendors for an extensive software Bill of Materials to build appropriate controls as part of their overall risk management strategy to satisfy regulatory, compliance and insurance requirements.


| February 02, 2022

Piers Wilson, Head of Product Management, Huntsman Security

Given the potential fragility of the fuel supply chain – as highlighted by recent shortages in the UK– disruptive cyberattacks can cause widespread disruption for consumers and businesses. Although the details and longer term impact of attack on Oiltanking and its parent company are unclear, it’s vital that other organisations take effective steps to ensure they aren’t the next victims of a successful breach.

Alongside the use of the latest cyber defence technologies, businesses must also frequently assess the level of risk they face from attacks. For instance, there’s little point in having the latest antivirus updates if your systems aren’t patched regularly or you have misconfigured admin accounts and unsupported software versions. Equally, staff must be trained on what to look out for when it comes to phishing e-mails.

However, securing your own network is only a partial solution if your suppliers aren’t doing the same. As we’ve seen recently in the US and elsewhere, attacks originating from other organisations are becoming more common as are those which might not actually spread, but take a supplier you rely on off-line.

Regularly assessing or monitoring your own, as well as partners’ and suppliers’ cybersecurity practices is critical. With luck the attack on Oiltanking won’t see widespread disruption in Germany, but it must be seen as a wake-up call to organisations that still aren’t 100% confident in their own and their partners’ cyber defences.


| February 02, 2022

Dr. George Papamargaritis, MSS Director, Obrela Security Industries

It is these types of cyberattacks on supposedly unknown companies that have a major impact on the entire supply chain of a critical infrastructure of a whole country. Cyber attackers are well aware of this and therefore choose targets that are simpler and easier to attack from their perspective. The effect can be the same as an attack on a major brand. This attack is very critical in that the supply chain for fuel, heating, and motor fuels can potentially be compromised. Cyber risks are a serious threat and cannot be neglected.


| February 02, 2022

Hank Schless, Senior Manager, Security Solutions, Lookout

The timing of this coincidentally aligns with Russia having threatened to shut off its pipelines into Europe as the crisis in Ukraine continues to be tense for all involved. There isn’t enough information to say who was responsible, but regardless the attackers saw an opportunity to put even more pressure on Germany, which is one of the largest consumers of Russian gas in Europe. This is the perfect example of using a high-pressure situation to create opportunity for malicious cyber activity, which attackers do as often as they can.

Last year with the Colonial Pipeline ransomware attack in the United States, the world saw how disruptive a cyberattack on critical infrastructure can be. While we don’t yet have details as to whether this was a ransomware attack, limiting the business continuity of companies like Oiltanking GmbH and Mabanaft is sure to take time to recover from. It typically costs organizations between $750,000 and $1.85M USD to recover from a significant ransomware attack, which doesn’t even include the cost of lost business due to the incident.

These attacks typically start with either compromised corporate credentials, malware being delivered to users via corporate email or collaboration platforms, or a vulnerable server or app being exploited. Corporate credentials are typically stolen via phishing, which is even more effective if the attacker can socially engineer the target over a personal channel like SMS, social media, or a third-party chat app. Malware delivery is becoming a more dated tactic with the effectiveness of inbound email security solutions such as secure email gateway (SEG), but it’s still used by attackers to gain their initial foothold directly in corporate infrastructure. Vulnerable apps and servers can be exploited by attackers – especially if they’re older assets that IT teams no longer have visibility into. It’s critical to mask the presence of web-enabled on-premises assets with a zero trust network access (ZTNA) solution. The best thing these companies can do right now is allocate every resource at their disposal to getting operations back online – both for the good of themselves and their customers.


| February 02, 2022

Greg Day, VP & CSO, EMEA, Palo Alto Networks

Fuel prices continue to rise, in part because of supply chain complexities, Covid and world affairs. Today’s confirmed cyberattacks on German oil suppliers Oiltanking GmbH Group and Mabanaft Group seem fortuitous to say the least. It’s promising to see that their systems were segmented as only subsidiaries have been impacted. At this stage, what is most important is how quickly Oiltanking GmbH and Mabanaft recover and return to 100 percent operational capacity. That means understanding what and how to ensure another attack isn’t repeated. Too often, organisations pay a ransom and get hit a second time. In fact, Cybereason found that 80 percent of organisations that participated in a global ransomware study that paid a ransom in 2021 were hit a second time. Organisations with rich data that spans across all the systems that were compromised and others that could have been impacted by those compromised systems have an advantage in the fight against ransomware gangs. All too often we see businesses struggling to maintain forensic data and/or they lack the internal skill set and capabilities to correlate data into tangible actions required to provide businesses with digital operational resilience that will put an end to the ransomware scourge.


| February 02, 2022

Andy Norton, European Cyber Risk Officer, Armis

For decades, ICS cybersecurity simply didn’t exist because it didn’t need to. Operational technology and information technology were separate domains with separate systems that didn’t connect to each other, and legacy industrial devices didn’t connect independently to the internet or to each other. This disconnection—the so-called “air gap”—was thought to be all the security that OT systems needed, aside from physical access control.

Now, though, IT/OT integration is becoming the norm. Connected devices stream data, monitor equipment and processes, and support line automation and other Industry 4.0 functions, so the air gap is no longer a reliable method of OT security. As OT and IT continue to merge, cybersecurity requirements now apply to ICS just as much as to corporate networks, but many organisations struggle to find the right approach to protect their operational technology.

For example, many operation managers are concerned about downtime and the impact of implementing more security for their OT, IIoT, and other ICS devices. That’s understandable because legacy solutions that are built to scan IT networks can knock these devices offline or cause them to malfunction—if the scan can detect them at all.

Facilities that can’t operate securely are at risk of going offline at any moment. A ransomware attack on an ICS facility can halt operations and leak operational and corporate data to the dark web—or destroy that data altogether.

Fortunately, organisations no longer have to choose between predictable uptime and ICS cybersecurity. A non-disruptive solution for quickly identifying and continuously monitoring OT and ICS devices is required and the risks of delaying implementation of OT security are too big to ignore as these sorts of occurrences keep evidencing.


| February 02, 2022

Gary Kinghorn, Marketing Director, Tempered Networks

It’s too early to know who is behind this attack or exactly what was intended, but it’s another reminder that oil and gas operators must be prepared. As IT and OT worlds converge and cyber criminals take aim at higher value industrial and critical infrastructure targets, energy operators should assume that even an IT breach will have impacts on their operational processes. That means building stronger defenses combined with a plan for extra resiliency in scenarios where threat actors are still able to get in.

Oiltanking Suffers Cyberattack

Oiltanking Suffers Cyberattack
External Link: German Petrol Company Oiltanking Suffers Cyberattack

Share this page:

Related Posts