Tue | Feb 1, 2022 | 2:19 PM PST

Malicious threat actors always have critical infrastructure entities in their crosshairs. As soon as any opportunity presents itself, it's already too late for that organization to stop an attack.

That opportunity came this week, as two oil companies in Germany announced they had been hit with cyberattacks affecting operations.

Oiltanking GmbH Group and Mabanaft Group, both subsidiaries of the Marquard & Bahls group, describe the attack as a "cyber incident affecting our IT systems." They say they are in the process of investigating the incident and that they are working to understand the full scope.

Oiltanking GmbH Group said in a statement that it "continues to operate all terminals in all global markets." However, Oiltanking Deutschland GmbH, which is a separate unit within the the Mabanaft Group that operates all terminals in Germany, says it is "operating with limited capacity" and declared force majeure. Mabanaft Deutschland GmbH also declared force majeure for "the majority of its inland supply activities in Germany."

Impact of cyberattack on oil companies

Last year, we saw how a cyberattack on an oil supplier could have significant ramifications with the Colonial Pipeline incident. That incident caused gas shortages across the Eastern seaboard of the United States, leaving thousands of people unable to fill their vehicles with fuel.

Thankfully, it appears this incident won't have the same widespread impact.

Arne Schoenbohm, the head of Germany's IT security agency, said the incident was serious "but not grave," according to the AP. He also noted that 233 gas stations in Northern Germany had been affected, but that that only accounts for 1.7% of the country's total stations.

Tim Wade, Technical Director on the CTO Team at Vectra, discusses the impact of cyberattacks such as these:

"Impacting elements of the fuel, heating, and combustibles supply chain during the winter season potentially puts human safety and wellbeing in the crosshairs. These types of attacks underscore the very serious risks posed by criminals to foundational parts of essential services and infrastructure. We sincerely hope for minimal disruption even as we hope that organizations will invest in the resilience necessary to withstand and recover from such threats," Wade said.

How do attacks on critical infrastructure start?

While there is an endless number of ways for attacks on critical infrastructure entities to start, there are some vectors more common than others.

Hank Schless, Senior Manager of Security Solutions at Lookout, speculates on how this attack could have began:

"These attacks typically start with either compromised corporate credentials, malware being delivered to users via corporate email or collaboration platforms, or a vulnerable server or app being exploited.

Corporate credentials are typically stolen via phishing, which is even more effective if the attacker can socially engineer the target over a personal channel like SMS, social media, or a third-party chat app.

Malware delivery is becoming a more dated tactic with the effectiveness of inbound email security solutions such as secure email gateway (SEG), but it's still used by attackers to gain their initial foothold directly in corporate infrastructure. 

Vulnerable apps and servers can be exploited by attackers, especially if they're older assets that IT teams no longer have visibility into. It's critical to mask the presence of web-enabled on-premises assets with a Zero Trust network access (ZTNA) solution.

The best thing these companies can do right now is allocate every resource at their disposal to getting operations back on line—both for the good of themselves and their customers," Schless said.

But who was behind this attack?

Possible Russia ties in German oil cyberattack

Even though no group has come out and claimed responsibility for this attack, speculation has begun circling around who would attack German critical infrastructure. The answer might not be very surprising.

Schless believes that the timing of this attack points to Russian ties:

"The timing of this coincidentally aligns with Russia having threatened to shut off its pipelines into Europe as the crisis in Ukraine continues to be tense for all involved. There isn't enough information to say who was responsible, but regardless, the attackers saw an opportunity to put even more pressure on Germany, which is one of the largest consumers of Russian gas in Europe.

This is the perfect example of using a high-pressure situation to create opportunity for malicious cyber activity, which attackers do as often as they can.

Last year with the Colonial Pipeline ransomware attack in the United States, the world saw how disruptive a cyberattack on critical infrastructure can be. While we don't yet have details as to whether this was a ransomware attack, limiting the business continuity of companies like Oiltanking GmbH and Mabanaft is sure to take time to recover from.

It typically costs organizations between $750,000 and $1.85 million USD to recover from a significant ransomware attack, which doesn't even include the cost of lost business due to the incident."

Regardless of who was behind this cyberattack, it serves as an urgent reminder to everyone, not just those in critical infrastructure, to ensure their security protocols are up to date.

Follow SecureWorld News for updates on the situation.