European oil, diesel and gasoline storage company Evos has admitted "disruption of IT services" amid a wave of cyber-attacks that have hit fuel storage facilities and broader port terminal operations this week. SEA-invest, one of the world’s largest terminal operators for everything from pineapples to chemical products has also been hit according to Belgian media, with De Tijd reporting its worldwide operations were badly affected. Local reports suggested that loading and unloading of fruit cargoes in Antwerp had been difficult since Sunday 29 January.
The incidents have hit EU supply chains, affecting oil storage facilities and cargo terminals in the Amsterdam, Rotterdam and Antwerp (ARA) port region and beyond and follow an attack on German fuel storage and distribution firm Oiltanking. (Evos only recently bought several oil storage facilities from Oiltanking.)
SAP ERP systems were reported by markets watchers to have been affected by the attack, forcing the companies back to paper-based invoicing and other manual operational processes.
(The Stack could not independently confirm this claim that was shared with us. It would, however, fit with early intelligence suggesting that the BlackCat ransomware is to blame: TTPs from Palo Alto Networks show that the ransomware targets several processes and services to hinder or prevent security solutions and backups, going after backup software like Veeam and also looking for active SAP processes (searching for "APService, SAP, SAP$, SAPD$, SAPHostControl, SAPHostExec" etc. SAP and Onapsis also warned against ransomware threats targeting unpatched SAP installations last year. )
Holland's National Cyber Security Center said that the attacks do not appear to be related, nor to be linked to nation-state hackers: "The NCSC’s view is that at the moment there does not seem to be a coordinated attack and that the attacks were probably committed with a criminal motive. The NCSC is closely monitoring developments and will take further action if necessary.”
Commodities specialist Argus Media meanwhile reported at least six oil storage terminals were struggling to load or unload cargo, with affected sites operated by SEA-Invest subsidiary SEA-Tank, as well as Evos and Oiltanking.
Evos confirmed in a statement to The Stack it was experiencing IT issues with its terminals at three sites.
“Evos continues to operate at all its terminals. There is a disruption of IT services at our terminals in Terneuzen, Ghent and Malta, which is causing some delays in execution" the company told us, adding: "The source of the disruption is being investigated. All operations continue to take place in a safe manner.”
SEA-invest told The Record that it had been hit on the evening of January 30 with ransomware. It added that its dry bulk division did not have to cease operations and that its liquid bulk department, Sea-Tank, has been able to resume operations as of February 2.
See also: Here's how the Colonial Pipeline attack happened
German paper Handelsblatt reported (link in German) it had obtained internal documents from the German Federal Office for Information Security (BSI), identifying BlackCat ransomware as being behind the Oiltanking attack. The attack on SEA-invest is not reported to have been linked and appears to have involved Conti ransomware.
Thomas Warner, senior reporter at Argus Media, said: “Most of these operators are still able to load and unload cargo, it’s just taking ages because they’ve had to go back to doing the paperwork manually. At the moment it seems like it’s more of an inconvenience than anything – but it’s worth pointing out that delays can really add up. As soon as you get a few delays, the whole thing can snowball, which was something we saw quite a lot in the third quarter of last year. You just have a couple of hiccups, and suddenly you’ve got a lot of problems.”
He also suggested these incidents pointed to wider issues: “People in the oil market have been caught napping on cyber-security. For a long time they’ve understood the importance of physical security, there’s all kinds of companies working on protecting physical assets, but they haven’t applied that same level of diligence to cyber-security. And the more integrated into the world these facilities are, the more they’re going to have to invest.”
Companies not doing tabletop exercises based around recovering from a ransomware attack should start to do so. Guidance from security experts includes regular offline "cold" backups as well as robust network segmentation (attackers aggressively go after backups including cloud-based backups). For a visceral take on what it feels like to get hit by ransomware as well as some useful guidance from victim, read this...