Two German oil companies have been disrupted this week by an ongoing cyberattack thought to have been instigated by the ransomware group BlackCat. Oil companies are becoming popular targets for ransomware criminals because the disruption a breach can cause means the chances of receiving a rapid pay-out are high. One security analyst believes the group behind this week’s attack is a reincarnation of ransomware-as-a-service (RaaS) gang DarkSide, which is thought to have perpetrated the hack on Colonial Pipeline, another oil company, last year.
The German oil company attack: what happened?
An internal report from the Federal Office for Information Security (BSI), seen by the German media, has pinned the blame for the attack on the two companies, Oiltanking Group and mineral oil supplier Mabanaft Group, on BlackCat.
The two businesses, which share a parent company, Marquard & Bahls, have confirmed they had suffered a breach over the weekend. Oiltanking declared a “force majeure” for the majority of its German supply, excusing the company from its contractual agreements because a “catastrophic event” had occurred that was beyond its control.
Operations have ground to a halt as the entirely automated tank loading and unloading processes were taken offline and cannot be operated manually, and have yet to be restored. Oiltanking’s terminals are working at limited capacity while the issue is resolved, the companies said in a joint statement, with operations at hundreds of petrol stations across Germany disrupted. The businesses added that they are “working to solve this issue according to our contingency plans, as well as to understand the full scope of the incident.”
Why are cybercriminals targeting oil companies?
Attacks such as these on gas and oil companies are part of a trend of cybercriminals targeting critical national infrastructure. “It is interesting to see that even some not so publicly known organisations such as petrol distributors are getting attention from cyberattackers nowadays,” says Stanislav Sivak, associate managing software security consultant at security company Synopsys.”
These companies are being targeted because they are part of much wider supply chains, says Ian Porteous, regional director in security engineering at security company Check Point Software. “The choice of Oiltanking Deutschland was highly strategic by cybercriminals,” he says. “They’re looking for a snowball effect. In other words, the hackers here are thinking about the second and third-order effects to optimise for profits.”
Cybercriminals know that any disruption to the fuel supply can become a national and international issue, Porteous says. “This can place unprecedented pressure on the ransomware victims to cave in and meet the demands of the cybercriminals,” he adds.
The conflict between Ukraine and Russia could also be significant in this attack, says Max Heinemeyer, director of threat hunting at Darktrace, because it has raised concerns about the oil and gas supply to Germany. The hackers may have seen this as an opportunity to get a swift payout, Heinemeyer says. “Given the current tensions around Ukraine, it is worth remembering that around a third of all oil and gas used in Germany comes from Russia, via the Nordstream 2 pipeline,” he says. “This recent disruption will only serve to increase German reliance on the contentious pipeline.”
Is BlackCat the reincarnation of DarkSide?
BlackCat is likely a reincarnation of the notorious DarkSide gang, which was behind last year’s Colonial Pipeline attack, says Brett Callow, threat analyst at Emsisoft.
BlackCat/ALPHV is likely either another Darkside rebrand – and Darkside was responsible for the attack on Colonial – or was created by a former Darkside affiliate. 1/2 https://t.co/GrvPVoXciJ
— Brett Callow (@BrettCallow) February 2, 2022
Following the Colonial Pipeline breach, which left petrol stations up and down the East Coast of the US without fuel, the gang rebranded itself as BlackMatter, to try to avoid law enforcement agencies. But in October it was revealed that a flaw in BlackMatter’s malware had allowed security researchers to recover victim data without paying ransoms. “The development team responsible for BlackMatter made a mistake and, according to information from various sources, was canned as a result,” Callow told Tech Monitor. “New developers were hired and they created BlackCat.”
According to a report on the group released by Palo Alto’s Unit 42 threat analysis team, BlackCat, or ALPHV, is known for its sophistication and innovation and has been in operation since mid-November 2021. The gang operates on the RaaS model, providing its malware to third parties and keeping 10%-20% of the ransom. Most of the group’s victims so far are US based, but the gang is now targeting organisations in Europe across various industries.