Skip links

Cyberattacker hits German service station petrol terminal provider

Two companies owned by Hamburg-based company fuel group Marquard & Bahls are battling cyberattackers, with loading and unloading systems at the German arm of petrol tank terminal provider Oiltanking affected.

HAMBURG – OCT 31: Oiltanking Tank Farm. October 31, 2018 in Hamburg, Germany. Oiltanking is a operator of tank terminals worldwide. Aerial view of the tank farm in the harbor of Hamburg.

Aerial view of Oiltanking’s tank farm in the harbor of Hamburg, Germany (click to enlarge)

The company this afternoon confirmed to The Register that Oiltanking GmbH’s terminals – which provide Shell service stations, among others – are “operating with limited capacity” and that Mabanaft GmbH had “declared force majeure for the majority of its inland supply activities in Germany.”

Shell has additional providers, however, and said it had “diverted operations to other suppliers to minimise disruption.”

Mabanaft describes itself as the “leading independent importer and wholesaler of petroleum products in Germany.”

A spokesperson for Oiltanking and Mabenaft told El Reg in a statement:

Marquard & Bahls owns a portfolio that includes three divisions: the larger Oiltanking GmbH Group – which the firm told us “continues to operate all terminals in all global markets”; Skytanking; and the Mabanaft division – which, confusingly, houses Oiltanking Deutschland GmbH – which operates all terminals in Germany and is not part of the Oiltanking GmbH Group.

According to IATA, Skytanking, which supplies on-airport jet fuel, “currently operates at 70 airports in Europe, South Africa and India refueling more than 1.5 million aircraft a year.”

Oiltanking told The Reg that the “cyberincident” had only affected the two German companies.

The firms said they were “committed to resolving the issue and minimizing the impact as quickly and effectively as possible. We will be keeping our customers and partners informed and provide updates as soon as more information becomes available.”

According to its most recent annual report [PDF], for the year 2020 and filed in May 2021, parent firm Marquard & Bahls had a “satisfactory operational year in 2020”, with revenues of €9.183bn and pre-tax earnings of €149m. “Tank storage logistics and energy trading achieved good results, while aviation fuelling suffered a massive revenue collapse due to COVID-related travel restrictions.”

The report singled out Germany’s “service station business for commercial motor transport” – which was “initially in decline at the start of the pandemic but “gradually recovered in the second quarter.”

Big moves last year by M&B’s flagship holding, Oiltanking, included flogging off four European liquid storage terminals to Evos in Q4 2021 for an “undisclosed” amount as well as inking a deal with Singaporean authorities in which it became a founding “shareholder” of Singapore Trade Data Exchange (SGTraDex), a public-private partnership “aimed at reshaping the local supply chain ecosystem through digitalization.” SGTraDex was expected to launch in “early 2022.”

Oiltanking says on its website that it owns and operates 45 terminals in 20 countries in the Americas, Europe, Middle East, Africa, and Asia Pacific including China and India. The company adds that it has an overall storage capacity of more than 18.5 million cubic metres.

As for the German companies, Oiltanking Deutschland GmbH and Mabanaft GmbH invoking “force majeure” – a contractual clause that frees the business from liabilities arising from its obligations to customers – it’s unclear what the outcome will be. They will have to demonstrate that the attack is within the scope of their contractual provisions.

We have asked the firms which software and systems were affected. German newspaper Der Speigel reported that because Oiltanking’s loading and unloading systems are “essentially automated”, the operation of the tanker trucks that supply some of the nation’s petrol stations is only possible to a “limited extent manually.”

Several onlookers have speculated that the attack may be ransomware, although this has not been confirmed.

Around nine months ago, the operators of the Colonial Pipeline – which stretches 5,500 miles between Texas and New York, and can carry up to 3 million barrels of fuel per day – reportedly paid $5m to regain access to their systems after they were struck by ransomware, said to have been the work of the REvil group.

Charles Carmakal, senior VP at cybersecurity firm Mandiant, which responded to the incident, revealed in an interview a month later that crooks had accessed Colonial Pipeline’s network though an old VPN and password believed to have fallen into the wrong hands via the dark web. ®

Source