ALPHV ransomware gang claims it breached Trans-Northern Pipelines

Canada's Pipeline operator Trans-Northern Pipelines was attacked back in November last year

Trans-Northern Pipelines Inc. (TNPI), a significant player in Canada's energy infrastructure, fell prey to a ransomware attack in November 2023 that was orchestrated by the ALPHV/BlackCat group.

The attackers claimed to have stolen 190GB of critical data from TNPI,^[1] a company responsible for transporting refined petroleum products across significant parts of Ontario, Quebec, and Alberta. This incident is part of an alarming pattern where essential services' infrastructures are targeted by cybercriminal organizations, seeking to exploit or cripple vital operational capabilities for ransom.

The ALPHV group exhibits a high level of organizational expertise as they target lucrative targets in the critical infrastructure sectors using a ransomware-as-a-service strategy. This strategy interferes with operations and poses a major threat to national security, highlighting the strategic value of such targets to cybercriminals.

In order to facilitate the daily movement of 221,300 barrels (35,200 cubic meters) of refined petroleum products, TNPI oversees a network of pipelines that spans 850 kilometers (528 miles) through Ontario and Quebec and an additional 320 kilometers (198 miles) in Alberta. Many fuels, such as heating oil, diesel, aviation fuel, and gasoline, are transported straight from refineries to distribution hubs via these underground pipelines.

Trans-Northern Pipelines are investigating the attack

Trans-Northern Pipelines managed to maintain pipeline operations after the cybersecurity attack by quickly contacting security experts to mitigate the impact of the breach. This prompt action demonstrates how resilient and cyber-ready the critical infrastructure sectors are becoming.

The company's spokesperson Lisa Dornan said the following:^[2]

Trans-Northern Pipelines Inc. experienced a cybersecurity incident in November 2023 impacting a limited number of internal computer systems. We have worked with third-party, cybersecurity experts and the incident was quickly contained. We continue to safely operate our pipeline systems. We are aware of posts on the dark web claiming to contain company information, and we are investigating those claims.

The breach prompted serious concerns about the security of sensitive data and the possible effects on the operational integrity and credibility of the organization, even with containment measures in place. The event bears similarities to the larger problem that critical infrastructure operators have in defending their systems against ever-more-advanced cyberattacks.

The attack on Trans-Northern Pipelines is part of a broader trend of targeted ransomware campaigns against critical infrastructure, highlighting a global cyber threat landscape where no sector remains immune.

ALPHV claimed more than 1,000 victims over the few years of its operation

Since its inception in November 2021, the ALPHV ransomware group has undergone significant transformations, originating as DarkSide and later operating under the name BlackMatter. This evolution followed the notorious attack on the Colonial Pipeline, which brought the group into the international spotlight and led to a temporary cessation of its activities. However, ALPHV demonstrated resilience by rebranding to BlackMatter and eventually adopting the ALPHV/BlackCat identity in February 2022.

In just a few months after rebranding, ALPHV was linked to more than 60 cyberattacks globally,^[3], demonstrating a comprehensive and aggressive approach to its illegal activities. The group has forced more than 1,000 victims to pay more than $300 million in ransom by September 2023, demonstrating the significant financial consequences of its activities. The extent of the financial extraction highlights the serious harm that ransomware criminals cause to international economies and businesses.

One important step in sabotaging ALPHV's operations has been taken by the Federal Bureau of Investigation (FBI),^[4] which has intervened through server breaches and the temporary shutdown of the group's communication platforms. The prompt recovery and operational continuity of ALPHV, as seen by the re-opening of its data leak site, notwithstanding these measures, highlight the continued difficulties authorities face in permanently stopping such cybercrime.