Prosecutors investigating cyberattacks affecting multiple Belgian and Dutch ports

Multiple ports in Belgium and the Netherlands are reporting issues after a cyberattack affecting IT services was announced. Terminals operated by SEA-Tank, Oiltanking and Evos in Antwerp, Ghent, Amsterdam and Terneuzen are all dealing with issues related to their operational systems, according to France24.

A spokesperson from Evos told ZDNet that they are continuing to operate their terminals but are having some delays after the attack. 

“There is a disruption of IT services at our terminals in Terneuzen, Ghent and Malta, which is causing some delays in execution. All operations continue to take place in a safe manner,” the spokesperson said. 

Prosecutors in Antwerp have opened an investigation into the cyberattacks and told the Associated Press that the Federal Computer Crime Unit is looking into the issue. 

Companies reported having difficulties unloading barges because their software had been “hijacked,” making it difficult to process each one. 

The incidents come days after oil companies Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls Group, suffered a cyberattack that crippled their loading and unloading systems. 

Oiltanking told ZDNet in a statement yesterday that its terminals are operating with limited capacity and that they “have declared force majeure.” On Tuesday, Royal Dutch Shell said it was forced to reroute to different supply depots because of the issue. German newspaper Handelsblatt said 233 gas stations across Germany now have to run some processes manually because of the attack.

An internal report from the German Federal Office for Information Security (BSI) said the BlackCat ransomware group was behind the attack on Oiltanking. 

Emsisoft threat analyst Brett Callow noted that it is likely BlackCat is a rebrand of BlackMatter, which was itself a rebrand of Darkside, the group behind the ransomware attack on Colonial Pipeline in May 2021. 

Billion-dollar German logistics firm Hellmann Worldwide Logistics was also hit with ransomware in December.

Andy Norton, cyber risk officer at Armis said that for decades, ICS cybersecurity simply didn’t exist because it didn’t need to. Operational technology and information technology, he explained, were separate domains with separate systems that didn’t connect to each other, and legacy industrial devices didn’t connect independently to the internet or to each other. 

“This disconnection-the so-called ‘air gap’ — was thought to be all the security that OT systems needed, aside from physical access control. Now, though, IT/OT integration is becoming the norm. Connected devices stream data, monitor equipment and processes, and support line automation and other Industry 4.0 functions, so the air gap is no longer a reliable method of OT security,” Norton said. 

“As OT and IT continue to merge, cybersecurity requirements now apply to ICS just as much as to corporate networks, but many organizations struggle to find the right approach to protect their operational technology. For example, many operation managers are concerned about downtime and the impact of implementing more security for their OT, IIoT, and other ICS devices. That’s understandable because legacy solutions that are built to scan IT networks can knock these devices offline or cause them to malfunction-if the scan can detect them at all. Facilities that can’t operate securely are at risk of going offline at any moment. A ransomware attack on an ICS facility can halt operations and leak operational and corporate data to the dark web-or destroy that data altogether.”