When the LockBit ransomware gang announced it had hit maritime fuel provider Petrologis Canarias earlier this month, the hackers proclaimed the cyberattack “Colonial Pipeline 2.0” with an added wink emoji.

Unfortunately for the hackers, it could never have lived up to the massive disruption of the U.S. fuel supply after the ransomware attack on Colonial. Based in Spain’s Canary Islands, their victim has 73,500 cubic meters, or 19.4 million gallons, used for bunkering — the refueling of vessels. The firm, operating out of the Port of Las Palmas, also provides bunkering logistics services. 

Jack Jordan, managing editor of Ship & Bunker, characterized Petrologis as a small-to-midsize player in what itself is a small market that’s a “​​key place you might stop off coming from Africa.”

“If that facility were to disappear, it would be inconvenient for ships traversing the Canaries,” Jordan said. Vessels, instead, might have to source their fuel from Gibraltar or South Africa. 

The attack on Petrologis does not appear to have taken the fuel provider out of commission. But the extent of the incident is murky. The company contends that it failed to impact operations, and that it remedied the problem by restarting the affected computers. Meanwhile, the hackers are preparing to leak over 11 gigabytes of stolen data in retaliation for Petrologis not paying an unspecified ransom.

While much remains uncertain about what befell Petrologis, the attack reflects cybersecurity risks facing the maritime industry. In 2020 alone, the maritime industry experienced over 500 attacks, according to the U.S. Coast Guard’s Cyber Strategic Outlook. More recently, a ransomware attack at South Africa’s Port of Durban caused days of disruptions to container operations. 

Gwilym Lewis, director and co-founder of U.K.-based cybersecurity firm Appsecco, said that while major shipping lines largely have “their houses in order” — having experienced major attacks themselves — the broader maritime industry is largely underprepared for cyber threats. 

“The whole sector is probably a decade behind everyone else,” said Lewis, who worked closely with vessel owners and operators during a stint as CEO of the maritime cybersecurity firm Neptune Cyber.

The attack on Petrologis, he said, is emblematic of cybersecurity deficiencies among smaller companies that supply and service the global maritime industry. “There’s a massive lack of understanding of what can happen,” he said.  

Firm claims restarting computers resolved issues

LockBit gained prominence this summer amid attacks on targets across the world, including one on the large technology consulting firm Accenture. The group provides its malware and infrastructure to other hackers for a share of the proceeds. The attacks themselves operate by both encrypting victims’ systems and stealing data. Hackers demand ransom in exchange for a key to restore the access and a promise to not post the data to LockBit’s leak site, a common tactic.

After American Shipper inquired about LockBit’s claims, Petrologis Canarias operations manager Fernando Méndez Suárez confirmed that the company had experienced a cyberattack.

“The cyberattack affected only [a] few computers,” he wrote in a message on LinkedIn. “All our operational and internal software were not affected.”

Suárez added that the computers were “working without any problems” after the company reset them. 

The hackers declined to comment on the company’s claims or whether their attack impacted operations. A LockBit representative confirmed that Petrologis had refused to pay an unspecified ransom.

“They did not want to pay,” the LockBit representative wrote in a chat. “It’s not my problem.”

Brett Callow, a threat analyst with cybersecurity software firm Emsisoft, said he was skeptical of the company’s account since ransomware attacks are not reversible simply by restarting the affected computers. 

“If all they did was reboot these systems, they are definitely not past this,” Callow said.

While it is possible that the final step in a ransomware attack was either disrupted or simply failed, the systems would still be infected with the malware that provided the hackers access, Callow said. 

“Evicting the attackers is actually a long, very hard process,” Callow said, noting that victims generally need to contemplate rebuilding their entire IT infrastructure to ensure the malware is gone.

Bunkering sector’s tech behind the times

In February, La Provincia, a newspaper serving Las Palmas, reported that Petrologis Canarias was in the midst of a four-year plan to modernize its facilities, which included unspecified improvements to technology. 

Small players in the bunkering industry, which includes Petrologis, are generally laggards when it comes to technology, according to Jordan. 

“A lot of them are stuck on computers running Windows XP,” he said, referring to the version of Microsoft’s operating system released 19 years ago. “But it’s getting better.”

Companies relying on outdated software often do so at their peril. Beyond the well-known risks from phishing, hackers frequently exploit known vulnerabilities in software to stage ransomware attacks on systems that simply haven’t been updated. 

For many companies in the maritime industry, the issue boils down to a lack of awareness about cybersecurity, and a lack of willingness to invest to improve it. 

“The basics are missing, completely,” Lewis said.

The consequences can extend beyond the visible catastrophic operations failure. Even if a company like Petrologis is physically able to supply fuel, other problems can arise, he said. 

“What happens if you’re unable to provide invoices for bunkering?” he said.

Read more

Cyberthieves say they have ‘moral principles’
Colonial-level cyberattack on trucking likely – but preventable
Inside a ransomware attack on a small trucking company

Click for more articles by Nate Tabak