Major German fuel storage provider hit with cyberattack, working under limited operations

Global operations of Oiltanking were not affected.
Oil storage tanks in Hamburg harbor, Germany. (Photo by plus49/Construction Photography/Avalon/Getty Images)

A cyberattack struck major German oil storage company Oiltanking GmbH Group on Sunday, the company confirmed to CyberScoop in a statement.

The BlackCat ransomware appears to be the source of the attack, according to a report by Germany’s intelligence authority obtained by Handelsblatt.

The attack affected the IT systems of Oiltanking as well as the mineral oil trade company Mabanaft, German news outlet Handelsblatt first reported. Both companies belong to the Hamburg-based Marquard & Bahls group, one of the world’s largest energy supply companies.

The attack shut down the oil tank company’s IT systems, according to a statement by the company’s head of corporate communications, Claudia Wagner. Oiltanking’s German subsidiary which operates all terminals in Germany is operating at limited capacity.


Oiltanking’s global operations were not affected.

“We are working to solve this issue according to our contingency plans, as well as to understand the full scope of the incident,” Wagner wrote to CyberScoop in an email. “We are undertaking a thorough investigation, together with external specialists and are collaborating closely with the relevant authorities.”

Oiltanking Germany owns and operates 11 terminals with a total storage capacity of 2.375 million cubic meters of fuel. Clients of the company include a number of mid-sized companies as well as oil corporation Shell. Royal Dutch Shell is now re-routing oil supplies to other storage, the company told Reuters.

As of December, Black Cat had the seventh-most victims of all ransomware groups tracked by Palo Alto Network’s Unit 42 threat intelligence unit. The group uses the coding language Rust, which is highly customizable and allowed the group to build a reputation for individualized attacks. It also pays affiliates, who rent out its attack infrastructure, a high commission compared to other groups.

The attack comes as Germany, which is heavily reliant on Russian oil, considers pulling out of a major gas pipeline deal with Russia if the nation further invades Ukraine. German intelligence also issued a warning last week about ongoing cyberattacks by APT27, a Chinese-based hacking group.


“There isn’t enough information to say who was responsible, but regardless the attackers saw an opportunity to put even more pressure on Germany, which is one of the largest consumers of Russian gas in Europe,” Hank Schless, senior manager for security solutions at Lookout, wrote in an email to CyberScoop. “This is the perfect example of using a high-pressure situation to create opportunity for malicious cyber activity, which attackers do as often as they can.”

Cyberattacks against the energy sector have proven extremely destabilizing in the past. A May ransomware attack against U.S.-based Colonial Pipeline caused a panic at American gas stations.

Updated 2/2/2022: To include additional information about the nature of the attack.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts