Fuel under attack: examining Europe’s newest cyber target

Bernard Montel, EMEA Technical Director and Security Strategist at Tenable discusses the risks to energy supply.

European fuel supplies are under threat from a dangerous and invisible new adversary: ransomware. Recently, the major German fuel supplier Oiltanking Deutschland GmbH & Co. KG was hit by a ransomware attack that majorly restricted its operations and supply, and it wasn’t the only European fuel business that fell under fire. SEA-Invest in Belgium and Evos in the Netherlands also saw cyber incidents occur, and European authorities are still investigating the cyber-attacks upon these key fuel suppliers.

It’s clear that ransomware is the flavour of the week (and month, and year) when it comes to critical infrastructure: and cybersecurity professionals are noticing frightening similarities between these incidents and the infamous Colonial Pipeline ransomware attack in May 2021. Last year ransomware operators saw record-breaking profits, and despite containing their incident, Colonial Pipeline alone paid a ransom demand of almost US$5mln. But, when every sector is facing up to new technological challenges and increased digital threat, why is critical infrastructure being targeted?

Why is fuel under threat?
Over the past few years, the oil and gas industry’s reliance on digital platforms, devices and systems has increased by a large margin. While embracing new technologies can benefit efficiency, output, and a business’s bottom line, it also leads to the inevitable convergence of IT (servers, routers, PCs and switches) and operational technology or OT (programmable logic controllers (PLCs), distributed control systems (DCSs) and human machine interfaces (HMIs). The merging of these two environments with human fallibility expands the attack surface, making cybersecurity threats harder to detect, investigate and remediate.

Ransomware attacks against critical infrastructure could potentially have a significant impact especially when operations, such as petroleum pipelines or food processing plants, are shut down. Threat actors rely on these potential disruptions to incentivise organisations to pay the ransom. Attacks like those inflicted upon the fuel sector prove that bad actors have critical infrastructure in their crosshairs, and businesses large and small must prepare and protect against the simple flaws that can let attackers in.

A nation state affair?
The entire world had to bear witness last year to the damage that ransomware attacks can wreak: with organisations unable to operate, there is an inevitable knock-on impact to the supply chain and citizens’ lives. The recent attacks affecting Oiltanking in Germany, SEA-Invest in Belgium, and Evos in the Netherlands are worrying, but talks of coordinated nation state attacks are premature. The most likely scenario is that the attackers are working off of a database containing similar targets with their efforts hitting the mark.

While it can take months to determine the intricate details of an attack, early reports suggest that BlackCat - thought to be a rebrand of BlackMatter itself a reincarnation of DarkSide, might be responsible for these fuel attacks across Europe. In a separate incident, KP Foods also fell victim recently to ransomware, with Conti blamed for its outages. While a different sector, one similarity endures between these two incidents: both of these hacker groups are operating a ‘ransomware-as-a-service (RaaS)’ business model. That means this is organised crime, with databases of victims and numerous affiliates, who have no allegiance to any one ransomware group and will often partner with several, harnessing powerful bots to automate malware delivery.

From a victim perspective, who is responsible is actually irrelevant, particularly as this is unlikely to be known for months: but how it occurred is the important question. In the majority of instances, as is the case with BlackMatter and Conti, it is a known Vulnerability that allows the malware to infiltrate the infrastructure and encrypt systems. BlackMatter has been known to target remote desktop software and leverage previously compromised credentials, while Conti is known to use flaws like Zerologon, PrintNightmare, EternalBlue and more recently Log4Shell during its attacks. Another attacl path is the exploitation of misconfigurations in Active Directory, with both Conti and BlackMatter known to use this tactic.

How to stay protected from ransomware
What organisations must heed is that basic security principles can go a long way in blocking the attack path ransomware takes. Security teams need to adopt solutions that provide appropriate visibility, security and control across the cloud and converged infrastructure. Identify the critical systems organisations rely on to function, identify any vulnerabilities that affect these systems, then take steps to either patch or remediate the risk. Also, businesses must address excessive permissions in Active Directory that allow attackers to elevate privileges to further infiltrate the infrastructure.

Failing to do the basics means the business is vulnerable and disruption imminent whoever is attacking.

Authors

Bernard Montel

EMEA Technical Director and Security Strategist, Tenable

With over 20 years in the security industry, Bernard Montel is Technical Director at Tenable. His expertise includes cryptography, Identity & Access Management, and SOC domains. Bernard has published numerous articles and is regularly invited to speak about cybersecurity providing insight into current cybersecurity threats, cyber risk management, and cyber exposure. 

Before joining Tenable, Bernard held the position of EMEA Field CTO for RSA, where he played a leading role within its Threat Detection & Response department. He has significant experience advising both large and medium size organizations on cybersecurity best practices. 

Bernard holds a Master of Science in Network and Security and a Master 2 degree in Artificial Intelligence.

Read lessmore