Europe just experienced a smaller but still alarming version of last May’s Colonial Pipeline attack in the U.S., as two large German fuel storage companies were taken offline by ransomware.
The Jan. 29 attack targeted Oiltanking GmbH Group and Mabanaft GmbH & Co. KG Group, which operates fuel storage facilities as subsidiaries of the logistics firm Marquard & Bahls. The full effects of the incident are unclear, but it seems there were major disruptions in loading and unloading from terminals.
This stopped fuel tankers from filling up in order to resupply gas stations, with knock-on effects for Germany’s largest retail site network, Aral, owned by oil giant BP. Had it not been able to source alternative supplies, the company reportedly would have run short of fuel at 233 of its 2,300 gas stations.
You can gauge the seriousness of the attack by the fact that one of the fuel companies had to declare force majeure, a last-resort legal state suggesting the company couldn’t meet contracts due to circumstances beyond its control. This is unusual for any sector, let alone critical infrastructure.
So far, the affected parties have offered no details on the malware or methods used beyond confirming the attack. What little is known has emerged in reports by German newspaper Handelsblatt, which got hold of an internal report by Germany’s cybersecurity agency, the Federal Office for Information Security (BSI).
Anyone looking for a heads-up on the attackers’ toolkit will be frustrated by the lack of detail, but the reporting does reveal that the recently discovered BlackCat group is believed to be responsible.
The Russian-language group entered the radar in November 2021 and was so named after the black cat favicon image which appears on the Tor site used to accept ransom payments.
The malware is identified by researchers as ALPHV, and is written in a language called Rust. This is the latest example of ransomware-as-a-service (RaaS), a business model based on recruiting affiliates to conduct attacks using a platform of automated tools.
In the context of attacks on energy and infrastructure, that’s concerning—it means the latest attack won’t be the last. There’s no confirmed data on the size of ransom payments demanded, but given the targeting of multinationals, we can assume it runs to millions of dollars.
Technically, ALPHV is driven by a hands-on command line offering a lot of options for a skilled attacker, including multiple encryption routines and the ability to target a wide range of hosts, control virtual machines and wipe OS snapshots sometimes used by defenders to recover target systems.
Although far less disruptive, the attack is unmistakably reminiscent of the Colonial Pipeline attack that for several days had East Coast U.S. consumers queueing for fuel. This might not be coincidence—that attack was connected to the BlackMatter/DarkSide group, which reportedly shares members with BlackCat. In January, police in Russia arrested 14 alleged members of another notorious and highly active REvil groupOh, which shared at least one member with alleged connections to DarkSide. That bust looked like a rare win for justice. Unfortunately, the latest attack reminds us that Russian ransomware has much deeper roots.