Cyberattack on Oiltanking: Black Cat ransomware group responsibe, also for Colonial Pipeline Hack

Sicherheit (Pexels, allgemeine Nutzung)[German]An addendum to the cyberattack of Saturday, January 29, 2022 on Oiltanking, a company belonging to the Hamburg-based Marquard & Bahls group, and the IT of Mabanaft, an oil trader belonging to the same group. The crippled parts of the critical infrastructure (CRITIS), because the loading systems of Oiltanking no longer work, have their cause in an infection with the Black Cat ransomware. And that's where it gets interesting, because it seems to be the same cybercriminals who were responsible for the ransomware attack on Colonia Pipeline in the US in 2021


Filling system for tank supply down

I had reported it in the blog post Cyber attack on German Oiltanking shuts down tank terminal, Dutch Shell also affected. Subsequent tweet points to the post.  

Cyberangriff auf Oiltanking

Brief summary: Saturday, January 29, 2022, a cyberattack occurred on Oiltanking, a company belonging to the Hamburg-based Marquard & Bahls group of companies, and Mabanaft, a petroleum trader belonging to the same group of companies. As a result, 13 tank terminals in Germany affected by Oiltanking have been paralyzed by the cyber attack, as Oiltanking's loading systems are dwon.

Customers include Shell with its service station system, so impairments there are also to be expected.  However, BSI head, Arne Schönbohm, pointed out that the impact was probably limited. The incident is classified as serious, but "not severe." According to Schönbohm, only 1.7% of all gas stations in the country were affected by the incident. For example, it was impossible to change prices or pay with a credit card. Cash payment was accepted at some of the 233 gas stations affected, most of them in northern Germany.  mit einer Kreditkarte zu bezahlen. An einigen der 233 betroffenen Tankstellen, die meisten davon in Norddeutschland, wurde Barzahlung akzeptiert. 

Parallels to Colonial Pipeline?

I had already guessed a ransomware attack in the article, although no details were disclosed. And my mind immediately went to the successful ransomware attack on U.S. pipeline operator Colonial Pipeline in May 2021.


The largest U.S. pipeline company had to shut down its operations after a successful ransomware attack. In the process, the pipeline that supplies fuel to the U.S. East Coast was also shut down as a precautionary measure (see my blog post Ransomware attack on US pipeline operator (May 2021)). In the blog post Ransomware attack on the US pipeline – the house is burning, I pointed out that the US government had declared a state of emergency on the US East Coast because the supply to gas stations was no longer working. In the above case, things are not quite that bad at Oiltanking.

But there was one detail that becomes relevant again. The DarkSide cybergang, which had offered its services as "as-a-service", was held responsible for the attack. After the successful cyber attack on the U.S. company Colonial Pipeline, U.S. President Joe Biden announced that the U.S. would stop the DarkSide gang's business. Shortly thereafter, the group lost access to its servers (see DarkSide gang lost access to it's servers) and ceased operations.

Black Cat group responsible for oiltanking attack

Brett Callow, Thread Analyst at Emsisoft, had contacted me by email last night and pointed out his following tweet, which sheds more light on the matter.

Black Cat/ALPHV Ransomware Gang

This tweet contains two pieces of information. Handelsblatt probably got hold of the BSI's internal situation report (their article is behind a paywall, but probably doesn't contain too many details). The BSI report discloses that the Black Cat ransomware group is blamed for the attack and that prosecutors have been called in. The "systems were compromised by the BlackCat ransomware via a previously unknown access point," quotes here. A spokeswoman for Oiltanking would not comment. 

What "unknown access" means, however, remains in the dark – between the lines I read "they don't know yet". In the Colonia Pipeline hack, VPN access was the gateway, see Colonial Pipeline News: Hack by stolen VPN credential, FBI partially recovers ransom money.

But what becomes interesting now is the above tweet from Brett Callow, who pointed out as early as January 31, 2022, that those involved in the Darkside ransomware group had rebranded themselves as BlackCat/ALPHV after the infrastructure was shut down. Or one of the affiliates that used Darkside's services followed in its footsteps under that name. And this brings us full circle, as the DarkSide cybergang is, after all, blamed for the attack on the US Colonial Pipeline.

Palo Alto provides information

Palo Alto Networks has published an update on the BlackCat ransomware family. First surfacing in mid-November 2021, the group already has the seventh-largest number of victims among ransomware groups monitored by Palo Alto Networks as of December 2021 – and the list continues to grow.

Ransomware victims

Victims come from a variety of industries, including construction, insurance, logistics, and more, adding to the group's influence. BlackCat attackers are demanding ransoms of up to $14 million – nearly triple the average ransom demand of $5.3 million in early 2021.

The emergence of BlackCat is part of a worrying trend that the activities of new and newly established groups can have a devastating impact in a short period of time. The group's success is attributed in part to the adaptability of its attacks and the efficient algorithms that enable encryption. For more details, see this article

Information from Varonis

I also have word from security vendor Varonis that their Thread Labs has been seeing increased activity from the ransomware group ALPHV (also known as BlackCat) since late 2021. The group acts as a Ransomware-as-a-Service (RaaS) provider, and is actively recruiting new partners. Notably, this includes (former) members of other gangs such as REvil, BlackMatter, and DarkSide.

It also states that the attack on the gas station supplier Oiltanking, which affected Shell among others, can be traced back to BlackCat. Other targets include larger companies in a wide range of industries, including business services, construction, energy, fashion, finance, logistics, manufacturing, pharmaceuticals, retail and technology. In particular, victims are from Australia, France, Germany, Italy, the Netherlands, Spain, the UK and the US. Claims range from $400,000 to $3 million.

ALPHV active since November 2021

ALPHV was first observed offering ransomware as a service in November 2021. In this case, the usual tactic of double extortion, in which sensitive data is stolen before encryption and victims are threatened with disclosure, is extended by another escalation level (triple extortion): in this case, the cybercriminals also threaten a DDoS (distributed denial of service) attack. This indicates a certain amount of experience in the field, which is why ALPHV is more likely to be a regrouping of known attackers than newcomers to this "business field".

This is also indicated by posts in cybercrime forums, which assume that ALPHV may be a further development or rebranding of BlackMatter, which itself is a "spin-off" or successor of REvil and DarkSide. Also noteworthy is the very high payout rate for affiliates of up to 90 percent of the ransom collected, which is used very actively to recruit and find new affiliates in relevant communities.

Penetration of victim networks

Working with these new partners, the initial penetration of the victim network is usually done using proven techniques, such as exploiting common vulnerabilities in network infrastructure devices like VPN gateways and misusing credentials via unprotected Remote Desktop Protocol (RDP) hosts. Following that, ALPHV attackers often use PowerShell to change Windows Defender security settings across the victim's network and launch the ransomware on multiple hosts using PsExec.

Once access is gained to the victim systems, the reconnaissance phase starts, identifying sensitive and valuable data for exfiltration and subsequent encryption, as well as lateral movement across the network. In this process, the ransomware is recreated for each victim and includes, for example, the type of encryption (such as encrypting only parts of large files) and embedded credentials of the victim to enable automatic propagation of the ransomware to other servers.  

Unlike many other ransomware programs, ALPHV was developed in Rust. This programming language is characterized by high performance and cross-platform features. Accordingly, both Linux and Windows variants have already been identified.

For more information on ALPHV (BlackCat), including details on configurations, processes, and indicators of compromise, see the corresponding Varonis blog post.  

Marquard & Bahls, Oiltanking, Mabnaft

Marquard & Bahls is a Hamburg-based company active in the energy and chemicals sectors. Its core businesses include tank storage logistics, trading and aviation fuelling.

Mabanaft is the trading organization of Marquard & Bahls. The business comprises regional trading and the wholesale of petroleum products. In addition, the company is active in bunker services, service station and heating oil end-consumer business, as well as trading in liquefied petroleum gas, biofuels and biofuels. Annual sales volume is approximately 18.1 million tons (as of December 2020).

Oiltanking is one of the world's largest independent providers of tank terminals for petroleum products, chemicals and gases. The company owns and operates 64 tank terminals in 24 countries with a total capacity of 20 million cubic meters (as of December 2020). In 2019, total throughput was around 155 million tons.

Similar articles
Ransomware attack on US pipeline operator (May 2021)
Ransomware attack on the US pipeline – the house is burning
Colonial Pipeline-Angriff: 5 Mio. $ für die Katz und ungepatchte Exchange-Server
DarkSide gang lost access to it's servers
Colonial Pipeline Attack: Wasted $5 Million and uses vulnerable Exchange Servers
Colonial Pipeline News: Hack by stolen VPN credential, FBI partially recovers ransom money

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *