Cyber Incident Victim: KMG International
Date:
Mar 2022
Location:
Romania
Summary
A subsidiary of KMG International experienced a ransomware attack attributed to the Hive group, disrupting digital services including corporate websites and a customer-facing fuel payment application while physical gas station operations continued with alternative payment methods. The attack compromised internal IT infrastructure but did not affect refinery operations, with the threat actors demanding a multi-million dollar ransom for decryption and to prevent potential data leaks. The company engaged national cybersecurity authorities for remediation and emphasized protective measures taken to secure systems during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 6, 2022, at approximately 21:00 local time, Rompetrol, a subsidiary of KMG International operating Romania’s largest oil refinery and gas station network, detected a ransomware attack affecting most of its IT services. The company publicly announced the incident the following day via a Facebook post, describing it as a "complex cyberattack" that forced the immediate shutdown of its public websites and Fill&Go mobile payment application used by fleet operators and private customers at gas stations. While Rompetrol’s email system remained operational on Microsoft Outlook, the company proactively suspended affected digital services to protect customer data. Physical operations at Rompetrol gas stations continued normally with alternative payment methods (cash or bank cards), and refinery activities at the Petromidia Navodari facility—processing over five million tons annually—were not disrupted despite unconfirmed reports of threat actor access to its internal IT network. KMG International promptly engaged Romania’s National Directorate of Cyber Security (DNSC) for assistance, maintaining constant communication to mitigate the incident.
BleepingComputer identified the Hive ransomware gang as the perpetrators, who demanded a $2 million ransom for a decryptor and to prevent the leak of allegedly stolen data. The attack occurred days before Rompetrol Rafinare’s pre-scheduled maintenance shutdown between March 11 and April 3, though the company clarified this planned downtime was unrelated to cybersecurity concerns. Hive employed tactics consistent with its known modus operandi, which the FBI had previously warned involves diverse techniques complicating defense measures. The group’s history included disruptive attacks like the 2021 breach of Memorial Health System, which caused surgical cancellations and patient data theft. Rompetrol’s incident response focused on containment through service suspensions and collaboration with national authorities, avoiding operational halts in refining or retail distribution while assessing the full scope of compromised systems and data.