[updated]Cyberattack on fuel supplier causes supply chain disruption

[updated]Cyberattack on fuel supplier causes supply chain disruption

A cyberattack has disrupted the activities in Germany of fuel supplier Oiltanking Deutschland GmbH & Co. KG. The supplier is, among others, responsible for deliveries to the thousands of Shell and Aral gas stations in Germany.  

The Oiltanking division of Hamburg-based Marquard & Bahls owns and operates 45 terminals in 20 countries. As far as we know only German branches of the firm are affected by the attack.

Distribution system blocked

The main problem for the supplier is that the automated systems that take care of loading the supply trucks are disabled. The underlying problem is that these systems can’t be operated manually and the automated system stopped working due to the attack. The company is using alternative loading points to fill part of the need and Shell is re-routing oil supplies to other depots. Aral, the largest petrol station network in Germany with around 2,300 stations, has also started supplying its stations from alternative sources in light of the disturbance.

Since there are a total of 26 similar companies in Germany and the disruption only blocks one specific part of the distribution chain, it seems unlikely that the consequences will be as severe as after the ransomware attack on Colonial Pipelinelast year.

The attack

The attack struck two companies that are both subsidiaries of Marquard & Bahls. These companies, Oiltanking GmbH Group and mineral oil dealer Mabanaft GmbH & Co. KG Group, say they discovered on January 29 that they had been hit by an attack that disrupted their IT systems and caused a disruption of the supply chain.

The companies say they are undertaking a thorough investigation, together with external specialists, and are collaborating closely with the relevant authorities. They also said the attack has no influence on the safety of the terminal operations that were able to continue.


The attack follows closely after a warning was issued by the Bundesamt für Verfassungsschutz(Germany’s domestic security service) that it was expecting a surge in the number of China-sponsored cyberattacks on German organizations that play a key part in supply chains. The warning specifically mentioned APT27 aka Emissary Panda.

The German agency says APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, since March 2021. Last September the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warned in a joint advisorythat advanced persistent threat (APT) groups were exploiting the very same vulnerability.

APT27 and other Chinese-backed hacking groups were also linked to attacks exploiting critical ProxyLogonbugs in early March 2021 that allowed them to take over and steal data from unpatched Microsoft Exchange servers worldwide. It can’t be ruled out completely that this attack was done by the APT27 group, but there are no indications that point to this group specifically. There is speculation about ransomware, but this has not been confirmed or denied by any of the parties involved.

The Bundesamt für Verfassungsschutz had also warned that cybercriminals, in addition to stealing business secrets and intellectual property, may also try to infiltrate the networks of (corporate) organizations or service providers to initiate a supply chain attack.

Update February 3, 2022

This morning, Dutch and Belgian media reported that at least 6 oil terminals run by SEA-Tank, Oiltanking, and Evos in the harbors of Antwerp, Ghent, Amsterdam and Terneuzen are experiencing IT problems. There is no official statement available (yet) that these problems are the consequences of a cyber attack, but the timing seems to rule out coincidence.

Another important fact to consider here, is that the Evos terminals were recently bought by Evos from Oiltanking. So there is a good chance that the software and systems all these terminals are using is the same or at least very similar. We’ll keep you posted.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.