Prosecutors investigating cyberattacks affecting multiple Belgian and Dutch ports

Evos said it is dealing with a "disruption of IT services" at their terminals in Terneuzen, Ghent, and Malta.
Written by Jonathan Greig, Contributor

Multiple ports in Belgium and the Netherlands reported issues after a cyberattack affecting IT services was announced. Terminals operated by SEA-Tank, Oiltanking, and Evos in Antwerp, Ghent, Amsterdam, and Terneuzen are all dealing with issues related to their operational systems, according to France24.

A spokesperson from Evos told ZDNet that they are continuing to operate their terminals but are having some delays after the attack. 

"There is a disruption of IT services at our terminals in Terneuzen, Ghent, and Malta, which is causing some delays in execution. All operations continue to take place in a safe manner," the spokesperson said. 

Prosecutors in Antwerp have opened an investigation into the cyberattacks and told the Associated Press that the Federal Computer Crime Unit is looking into the issue. 

Companies reported having difficulties unloading barges because their software had been "hijacked," making it difficult to process each one. 

The incidents come days after oil companies Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls Group, suffered a cyberattack that crippled their loading and unloading systems. 

Oiltanking told ZDNet in a statement yesterday that its terminals are operating with limited capacity and that they "have declared force majeure." On Tuesday, Royal Dutch Shell said it was forced to reroute to different supply depots because of the issue. German newspaper Handelsblatt said 233 gas stations across Germany now have to run some processes manually because of the attack.

An internal report from the German Federal Office for Information Security (BSI) said the BlackCat ransomware group was behind the attack on Oiltanking. 

Emsisoft threat analyst Brett Callow noted that it is likely BlackCat is a rebrand of BlackMatter, which was itself a rebrand of DarkSide, the group behind the ransomware attack on Colonial Pipeline in May 2021. 

Billion-dollar German logistics firm Hellmann Worldwide Logistics was also hit with ransomware in December.

Andy Norton, cyber risk officer at Armis, said that ICS cybersecurity simply didn't exist for decades because it didn't need to. He explained that operational technology and information technology were separate domains with separate systems that didn't connect to each other, and legacy industrial devices didn't connect independently to the internet or to each other. 

"This disconnection -- the so-called 'air gap' -- was thought to be all the security that OT systems needed, aside from physical access control. Now, though, IT/OT integration is becoming the norm. Connected devices stream data, monitor equipment and processes, and support line automation and other Industry 4.0 functions, so the air gap is no longer a reliable method of OT security," Norton said. 

"As OT and IT continue to merge, cybersecurity requirements now apply to ICS just as much as to corporate networks, but many organizations struggle to find the right approach to protect their operational technology," Norton added.

"Facilities that can't operate securely are at risk of going offline at any moment. A ransomware attack on an ICS facility can halt operations and leak operational and corporate data to the dark web-or destroy that data altogether."

Editorial standards