Cyber Incident Victim: INA d.d.
Date:
Feb 2020
Location:
Croatia
Summary
A ransomware attack attributed to the CLOP strain impacted backend servers at Croatia's largest petrol station chain, disrupting operational functions including invoice issuance, loyalty card processing, mobile voucher distribution, electronic vignette provisioning, and gas utility bill payments. While fuel distribution and payment systems remained unaffected, the incident forced the state-partnered energy provider to publicly acknowledge the breach and initiate recovery efforts, consistent with CLOP's known targeting of corporate networks for high-value extortion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 14, 2020, Croatia’s INA Group, the nation’s largest petrol station chain and a natural gas provider, experienced a cyber-attack that disrupted critical backend systems. The incident, publicly disclosed by the company over the preceding weekend, was attributed by multiple sources to a ransomware infection. The attack encrypted portions of INA’s backend infrastructure, impairing operational capabilities. While fuel distribution and payment processing at petrol stations remained functional, the ransomware severely impacted ancillary services. These disruptions included the inability to generate invoices, process loyalty card transactions, issue mobile vouchers or electronic vignettes, and accept payments for gas utility bills—a service tied to INA’s role as a natural gas supplier. The company issued a public apology and confirmed ongoing efforts to restore systems, though services remained offline as of the attack’s public reporting date. INA, part of the MOL Group with the Croatian government as its primary shareholder, did not provide further details when contacted by media.
Technical evidence and open-source reporting indicated the CLOP ransomware strain was responsible. A Sophos malware analyst had observed a new command-and-control server associated with CLOP operations becoming active hours before INA’s disclosure, aligning with the attack timeline. Subsequent analysis identified new CLOP variants uploaded to VirusTotal around the same period. CLOP’s involvement matched its established pattern of targeting enterprises rather than individual users, a shift documented since March 2019. Security researchers classify CLOP’s operators as “big-game ransomware” actors, specializing in network-wide encryption attacks against corporations to extract substantial ransoms. The incident underscored the group’s continued focus on high-impact targets, though INA did not confirm whether a ransom demand was received or paid. Restoration efforts remained the company’s stated priority, with no additional operational or financial details disclosed.