Cyber Incident Victim: Evos
Date:
Jan 2022
Location:
Netherlands
Summary
A cyber attack targeted oil terminals operated by Evos in the Netherlands, Belgium, and Malta, causing operational disruptions including slowdowns in loading and unloading oil at affected ports. Similar incidents impacted another company's terminals across Europe and Africa, collectively straining fuel distribution by delaying oil deliveries to retail sources. While the attacks raised concerns about potential coordination, no definitive links were established. Cybersecurity authorities suggested criminal motives, though speculation emerged about possible connections to geopolitical tensions. Attack methods remained unconfirmed, with unverified reports implicating ransomware strains like BlackCat or Conti. The incidents highlighted ongoing vulnerabilities in critical infrastructure amid evolving ransomware threats and potential state-aligned cyber activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late January and early February 2022, cyber attacks disrupted operations at oil terminals operated by Evos in the Netherlands and SEA-Invest in Belgium. The incident at Evos specifically affected terminals in Terneuzen, Ghent, and Malta, causing slowdowns in oil loading and unloading processes at Dutch ports. SEA-Invest reported broader impacts across its European and African port operations. While both companies maintained operational status, the attacks created logistical bottlenecks affecting fuel distribution networks. Europe's largest cargo port, Riverlake in Rotterdam, experienced halted oil barge unloading due to the disruptions. The collective impact exceeded prior late January cyber incidents at German oil suppliers, which had been locally contained through alternative fuel sourcing. Difficulties in filling delivery tankers led to slowed oil shipments to retail destinations, though the duration remained uncertain due to limited public disclosures about mitigation progress.
SEA-Invest activated backup systems during mitigation efforts, maintaining partial liquid transportation functionality while working to restore primary systems. Evos confirmed all Dutch terminals remained operational despite processing delays. No confirmed linkages existed between these attacks and the earlier German incidents, though an anonymous source claimed the SEA-Invest breach occurred approximately one day after the German attacks. The Dutch National Cyber Security Centre attributed the Evos incident to "probably criminal motives," though geopolitical speculation connected the events to Russian energy tensions or Chinese advanced persistent threat groups. Unverified reports suggested possible involvement of BlackCat ransomware (linked to dissolved groups like DarkSide/REvil) or Conti ransomware (associated with Russian Wizard Spider operators), though no official attribution or malware confirmation was provided by affected companies. The incidents highlighted persistent ransomware threats to critical infrastructure amid limited public technical details about intrusion vectors, file encryption, or data exfiltration.