2 min

Oiltanking Deutschland and Mabanaft, two German oil companies, were hit by a cyberattack over the weekend. Evos, a gas and oil storage company with a location in the Netherlands, appears to have been hit by a related attack.

Some of Mabanaft’s and Oiltanking’s production systems are down. Thousands of customers’ gas stations switched to alternative suppliers. Yesterday, Marketscreener (website) claimed that six other oil and gas storage sites of Sea Tank, Oiltanking and Evos in the Netherlands and Belgium were hit.

Evos, a storage company for oil and gas, confirmed the news. “The IT services of our terminal in Terneuzen (the Netherlands) have been disrupted, causing some delays in operations”, a spokesperson said.

No one seems to know where the attack came from, how the malware operates and why the organizations were hit. Chances are that Oiltanking and Mabanaft have an idea, but prefer to keep things quiet at this time. We looked for answers in the security industry. Paul Visch, Regional Manager Benelux at Lookout, analyzed the incident.

“The timing is striking”, says Visch. “Recently, Russia threatened to shut down its oil pipelines to Europe due to the crisis in Ukraine. There is not enough information available to say who is responsible for the attack, but either way, the attackers saw an opportunity to pressure Germany, which is one of the largest consumers of Russian fuel in Europe.”


Last year’s ransomware attack on Colonial Pipeline in the US showed how disruptive a cyber attack on critical infrastructure can be. Visch responds: “It is not yet known whether this is a ransomware attack. However, it will certainly take Oiltanking and Mabanaft time to restore business operations.”

“It typically costs organizations between 650,000 and 1.6 million euros to recover from a massive ransomware attack. These figures don’t include the cost of revenue loss during an incident.”

Visch emphasizes that the type of attack on Oiltanking and Mabanaft usually begins with the abuse of stolen login credentials, malware delivered via email or collaboration platforms, or a vulnerable server or app.