A major German independent oil and gas storage company, Oiltanking, confirmed Tuesday that it has been the victim of an attack on its IT systems and admitted that it has hit its inland supply, with terminals operating with limited capacity. The incident has impacted operational technology, according to German media reports.
Its sister company, oil trading firm Mabanaft, was also hit in the incident on Saturday January 29.
Oiltanking, a major part of the €14 billion Marquard & Bahls group, operates 47 tank terminals in 21 countries with a total capacity of 18.5 million cubic metres. Its 13 petrol storage facilities in Germany supply Shell petrol stations in the country, along with other small and medium-sized petrol station firms.
According to an initial report in Handelsblatt, later picked up by Der Spiegel (both links in German), the attack has shut down all of Oiltanking’s loading and unloading operations, effectively bringing the firm’s business to a standstill. Details of how the attack has affected Mabanaft are not yet clear.
The company has declared force majeure after the Oiltanking cyber attack.
An Oiltanking spokesperson told The Stack: "Oiltanking Deutschland GmbH & Co. KG terminals are operating with limited capacity and have declared force majeure. Mabanaft Deutschland GmbH & Co. KG has also declared force majeure for the majority of its inland supply activities in Germany. All parties continue to work to restore operations to normal in all our terminals as soon as possible."
The nature of the cyber-attack is unclear so far, but media reports and observers speculate it could be a ransomware attack. Spiegel noted in its report the German domestic intelligence service BfV – equivalent of the USA’s FBI – had warned against the growing threat of attacks by Chinese hackers just last week.
See also: Kronos backup access attacked as firm vows cold storage overhaul
The incident comes less than a year after the ransomware attack on the Colonial Pipeline in the US. That shut down operations on a pipeline that moves some 2.5 million barrels per day of gasoline, diesel, and jet fuel from Houston to New York. The Colonial Pipeline breach occurred after attackers gained access to credentials for a neglected VPN account that had been set up with no multi-factor authentication (MFA).
In 2020 German firms reported 3,747 ransomware demands to the ID Ransomware service, with demands totalling US$132.5m, according to research by cyber-security vendor Emisoft. The company also estimates the true cost of ransomware demands and downtime for 2020 in Germany may be closer to US$4.6 billion.
One market observer told us: "This will mean that product coming out of Shell's refineries (Pernis?) will have to find a new home (although should be able to sit at the refinery for a bit); shipping schedules need to change and so on: quite a headache for a lot of people." (Have you been impacted or do you know more? Get in touch).
Oiltanking's full statement:
"On Saturday, January 29th 2022, Oiltanking GmbH Group and Mabanaft GmbH & Co. KG (Mabanaft) Group discovered we have been the victim of a cyber incident affecting our IT systems. Upon learning of the incident, we immediately took steps to enhance the security of our systems and processes and launched an investigation into the matter. We are working to solve this issue according to our contingency plans, as well as to understand the full scope of the incident. We are undertaking a thorough investigation, together with external specialists and are collaborating closely with the relevant authorities. All terminals continue to operate safely.
Oiltanking Deutschland GmbH & Co. KG, an operating unit within the Mabanaft Group, operates all terminals in Germany and is not part of the Oiltanking GmbH Group.
Oiltanking GmbH Group continues to operate all terminals in all global markets. Oiltanking Deutschland GmbH & Co. KG terminals are operating with limited capacity and have declared force majeure. Mabanaft Deutschland GmbH & Co. KG has also declared force majeure for the majority of its inland supply activities in Germany. All parties continue to work to restore operations to normal in all our terminals as soon as possible.
We are committed to resolving the issue and minimizing the impact as quickly and effectively as possible. We will be keeping our customers and partners informed and provide updates as soon more information becomes available."