• World
  • Germany

Ransomware Attack in Germany Tied to Colonial Pipeline Hackers

5 minute read

A Russia-linked cybercrime gang was allegedly responsible for ransomware attacks that took down a swath of Germany’s fuel-distribution system this week and hindered payments at some filling stations.

Hackers using a strain of ransomware known as “Black Cat” infected computers at Mabanaft GmbH and Oiltanking GmbH Group, according to two people familiar with an investigation into the breaches.

Ransomware is a type of malicious software that encrypts files on victims’ computers, rendering them inaccessible until a ransom is paid. It’s not known how much money the Black Cat gang has demanded from the firms.

The hackers behind Black Cat appear to be related to the DarkSide ransomware gang, according to Brett Callow, a threat analyst at the cybersecurity firm Emsisoft. DarkSide was accused of the attack on Colonial Pipeline Co. last year, shutting down the largest gasoline pipeline in the U.S. for several days in May.

Other energy-storage companies, including Evos Group, have also suffered IT problems in recent days, at facilities spanning Malta, Belgium and the Netherlands. The precise cause of the disruption at Evos is currently unclear. On Thursday, the firm said the source was still being investigated.

The attacks come amid heightened tensions in the region as Russian troops are massed on the Ukrainian border, raising fears of an imminent ground attack. Such an attack could imperil Russian fuel supplies to Germany and other parts of Europe. Russian President Vladimir Putin has repeatedly denied he plans to invade.

Mabanaft, which distributes large amounts of fuel across Germany, said on Tuesday that its computer systems had been breached and its operations disrupted. Oiltanking GmbH Group, which operates terminals internationally, confirmed that its systems were also affected by the cyberattack. Both companies are owned by the Hamburg-based fuel group Marquard & Bahls AG.

A spokesperson for the companies declined to comment on the ransomware. The companies discovered they had been “the victim of a cyber incident” on January 29 and were working with specialists to investigate, the spokesperson said. They were hoping to resume normal operations by early next week, according to the people.

The prosecutor’s office in Hamburg said it had opened an investigation into the breach but hadn’t yet identified a suspect. “At the moment no information concerning the perpetrator behind the attack can be provided,” said Liddy Oechtering, a spokeswoman for the prosecutor’s office. “So far the investigations are directed against unknown.”

The German newspaper Handelsblatt previously reported that the hackers used the Black Cat ransomware, citing a report from Germany’s Federal Office for Information Security. The two people familiar with the investigation confirmed that account to Bloomberg News.

Black Cat’s ransomware code is written in Russian and is known for its “sophistication and innovation,” according to a report published in January by researchers at Unit 42, a cybersecurity team at Palo Alto Networks. The gang, which has been active since November 2021, has recruited “affiliates” on cybercrime forums who effectively rent out the ransomware to hack companies and organizations, according to the report.

Doel Santos, a threat intelligence analyst for Unit 42, said that hackers using Black Cat’s ransomware, which is also known as ALPHV, had been “very active” since December. They were targeting a wide range of industries, including construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components and pharmaceuticals, he said. The gang has focused its extortion efforts on companies and organizations in countries including the U.S., Germany, France, Spain, Philippines, and the Netherlands, the Unit 42 report found.

“What’s unusual is that for a new group they are very skilled,” said Allan Liska, a senior threat analyst at the cybersecurity firm Recorded Future Inc. “The methodology is the same across all of these ransomware groups. But Black Cat moves around networks quickly. They get the data quickly, and they are not afraid to go after big targets.” Liska added that people involved in the gang appeared to be native Russian speakers, as indicated by their posts on Russian-language cybercrime forums.

Liska called the timing of the attacks suspicious but said it wasn’t yet clear whether there was any link to the tensions in Ukraine.

Callow, from Emsisoft, said he believed Black Cat was likely the latest incarnation of the prolific ransomware groups BlackMatter and DarkSide.

After the Colonial Pipeline attack drew widespread condemnation and pressure from law enforcement, DarkSide rebranded under a different name, BlackMatter, a common tactic by ransomware gangs when they come under intense scrutiny.

But BlackMatter didn’t last long either, Callow said, in part because Emsisoft discovered a vulnerability in its ransomware that helped victims recover their files without paying any ransom.

The organizers of the group hired new developers and rebranded again, under the name Black Cat, Callow said.

Callow said that the new Black Cat ransomware was more sophisticated and didn’t include the same errors in its code as ransomware strains deployed by previous incarnations of the gang.

Authorities in Germany have described the hacks this week as serious, but played down the level of disruption to the country’s fuel supplies. A spokesman for the country’s Federal Office for Information Security said that 233 gasoline filling stations, largely in northern Germany, had been affected, only 1.7% of the country’s total. At some of those stations it wasn’t possible to pay by credit card, the spokesman said.

—With assistance from Jack Wittels and Rachel Graham.

More Must-Reads from TIME

Contact us at letters@time.com