Hackers Target Key Fuel-Distribution Firms in Europe

Europe’s fuel-supply network fell victim to a cyberattack — less than a year after the biggest refined petroleum pipeline in the U.S. was halted by a hack.

The situation was serious “but not grave,” the head of Germany’s information technology security agency said. The attack targeted a leading oil trader, and disrupted payments at hundreds of filling stations.

Mabanaft GmbH & Co. KG, which stores and distributes large amounts of fuel in the country, said on Tuesday that its IT systems had been breached and its operations disrupted. On Wednesday, a broker that handles deliveries of fuel to customers inland via the Rhine River said numerous terminals in the Amsterdam-Rotterdam-Antwerp oil trading hub were also affected.

The incidents serve as a reminder of how cyber security is becoming a growing concern across the oil industry. Last year, Colonial Pipeline Co. paid a ransom after a hack forced it to shut the largest fuel pipeline in the U.S., resulting in shortages at filling stations and price spikes.

Mabanaft, which distributes diesel, gasoline and heating oil, declared force majeure on supplies within Germany following the Jan. 29 breach that targeted its distribution business, as did Oiltanking Deutschland GmbH & Co. KG, a related storage company. The legal clause covers a company when it can’t honor contractual commitments due to events beyond its control.

Oiltanking GmbH Group, which operates terminals internationally, confirmed that along with Mabanaft its systems were also affected. All its terminals in global markets continue to function safely, it said, without elaborating. The company owns and operates more than 40 sites worldwide, according to its website.

Oil-Trading Hub

Multiple terminals in Europe’s oil-trading hub have been impacted by “IT issues,” according to barge broker Riverlake.

SEA-Tank Terminal, which has extensive storage facilities in Antwerp, was affected by a cyberattack, according to an email seen by Bloomberg. The email, from a company that does business with SEA-Tank, stated that the storage company’s IT systems suffered an unexpected outage.

“I have several barges waiting for loading and discharging for days,” at SEA-Tank terminals in Antwerp, said Jelle Vreeman, a senior broker at Riverlake.

Prosecutors are investigating whether Mabanaft’s parent company was the victim of a ransomware attack, Handelsblatt reported.

“All parties continue to work to restore operations to normal in all our terminals as soon as possible,” Mabanaft said earlier. It declined to state whether a ransom is being sought or when it expects the situation to be resolved.

As of Wednesday afternoon, these are the key developments:

• Hamburg prosecutors are investigating whether fuel distributor Marquard & Bahls — which owns Mabanaft and Oiltanking — is the victim of a ransomware attack, Handelsblatt reported. The hackers used “Black Cat” ransomware, the newspaper said, citing a report by the Federal Office for Information Security. The FOIS later declined to comment on that report.
• The head of the FOIS, Arne Schoenbohm, said that 233 gasoline filling stations largely in northern Germany had been affected, only 1.7% of the country’s total. At some of those stations it wasn’t possible to pay by credit card. The agency is in contact with and assisting Mabanaft, a spokesperson said.
• Oiltanking Deutschland’s declaration of force majeure is likely to be felt most keenly in locations where there’s the least alternative fuel supply. That includes the Hamburg area, which is served by the Holborn refinery, and southwest Germany, which relies on the Miro oil plant.
• The drop in deliveries prompted by that force majeure declaration can be met currently by other suppliers, according to EN2X, the group that represents refiners and distributors in Germany.
• Wisag, a German aviation services provider that offers airport ground handling operations, said it suffered a serious IT breach on Jan. 27. It hasn’t responded to the perpetrators’ request to make contact and negotiate, insisting it would not be blackmailed. There has been no impact to its airport operations. It’s not clear if it’s linked to the Mabanaft breach.
• The Evos Group has experienced disruptions of IT services at its terminals in Terneuzen in the Netherlands, Ghent in Belgium and in Malta, which is causing some delays in “execution,” according to a spokesperson for the energy storage company. All operations “continue to take place in a safe manner.” The company didn’t elaborate on the cause of the disruption.
• Shell Plc said it is having to seek alternative supply, with trucks unable to load at fuel depots linked to Mabanaft.

–With assistance from Brian Wingfield, Angela Cullen and Sheela Tobben.