Auchtung Shell

10063274065?profile=RESIZE_400xShell Deutschland GmbH is reporting it was able to "reroute to alternative supply depots for the time being," said Shell.  The company’s Oiltanking Deutschland GmbH and mineral oil dealer Mabanaft was hit by a cyber-attack which disrupted its IT systems and supply chain.  The attack allegedly took place on 31 January 2022.   

Royal Dutch Shell said today it was re-routing oil supplies to other depots following a cyber-attack on two subsidiaries of German logistics firm Marquard & Bahls this week.  Shell Deutschland GmbH told a media source it was able to "reroute to alternative supply depots for the time being", a spokesperson said in a statement.  Marquard & Bahls told its business partners it was "working to solve the problem according to emergency plans," local media reported.

The Hamburg Germany based group generated sales of 10.5 billion euros ($11.83 billion) in 2020 and employs around 6,200 people.  Oiltanking owns and operates 45 terminals in 20 countries, according to the company.  Germany's cybersecurity agency said it was offering its support to the attack.[1] 

"I consider this incident to be serious, but not grave," reported the president of the Federal Office for Information Security at a news conference.  "The companies produce 1.6 million liters of fuel oil and 2.1 million liters of fuel per year... It affects 233 fuel stations in northern Germany.  It is probably possibly to pay in cash," he said.

Last year, top US fuel pipeline operator Colonial Pipeline shut its entire network, the source of nearly half of the US East Coast's fuel supply, after a ransomware attack. The incident was one of the most disruptive digital operations ever reported.  Colonial Pipeline said at the time it paid hackers nearly $5 million to regain access to its systems.

The nature of the attack against Marquard & Bahls is not clear at this time.  The company did not respond to requests from media inquiries.  ($1 = 0.8873 euros)

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed transportation cyber indicators.  Looking through records in our Cyber Threat Analysis Center (CTAC) data for Shell, we saw 59 hits including duplicates. Of the unique values, we noticed (CL0P), Filgo (ViceSociety), and Cosan (Nephilim).  We saw 59 hits (with duplicates) from our dark web collections.  Of the unique values, we noticed on CL0P, Filgo (an affiliated Shell distributor) on ViceSociety, and Cosan (owner of a joint venture with Shell, Raizen SA) on Nephilim.  This would indicate that each of these sites were ransomed independently of each other.


For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings