Trans-Northern Pipelines (TNPI) has confirmed and ALPHV ransomware attack that caused a breach within its internal network in November 2023. The company is currently conducting an investigation into allegations of data theft made by the ALPHV/BlackCat ransomware group.
TNPI operates a significant pipeline infrastructure, consisting of 850 kilometers (528 miles) in Ontario-Quebec and 320 kilometers (198 miles) in Alberta. On a daily basis, the company transports approximately 221,300 barrels (35.200m3) of refined petroleum products through these underground pipeline systems.
These products include gasoline, diesel fuel, aviation fuel, and heating fuel, which are transported from refineries to distribution terminals.
“Trans-Northern Pipelines Inc. experienced a cybersecurity incident in November 2023 impacting a limited number of internal computer systems,”
“We have worked with third-party, cybersecurity experts and the incident was quickly contained. We continue to safely operate our pipeline systems.
“We are aware of posts on the dark web claiming to contain company information, and we are investigating those claims.”
TNPI Communications Team Lead Lisa Dornan.
Although Dornan, the spokesperson for TNPI, did not explicitly address the claims made by ALPHV ransomware, the BlackCat ransomware gang asserts that they successfully exfiltrated 183GB of documents from the company’s network.
These purportedly stolen files have since been made available on ALPHV’s data leak site. Additionally, the ransomware group has included contact details for multiple TNPI employees on the same leak page.
Who is BlackCat/ALPHV Ransomware Group
ALPHV ransomware, previously known as DarkSide and BlackMatter, first emerged in November 2021. The group is believed to have rebranded itself after facing significant consequences following the notorious Colonial Pipeline attack.
The incident triggered extensive global investigations by law enforcement agencies, resulting in the seizure of their infrastructure and the subsequent shutdown of their operations. However, the ransomware group resurfaced a few months later under the name BlackMatter, only to shut down again in November 2021. They then reappeared as ALPHV/BlackCat in February 2022.
According to the Federal Bureau of Investigation (FBI), ALPHV, previously known as DarkSide and BlackMatter, has been linked to more than 60 breaches targeting organizations globally in its initial four months of operation from November 2021 to March 2022.
The FBI also reports that ALPHV managed to accumulate over $300 million in ransom payments from more than 1,000 victims worldwide until September 2023.
“ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the United States and approximately 250 outside the United States—, demanded over $500 million, and received nearly $300 million in ransom payments,”
The FBI said in a statement.
In December, the FBI successfully disrupted ALPHV’s operation by breaching the gang’s servers. This action allowed them to temporarily take down ALPHV’s Tor negotiation and data leak websites.
The FBI had been monitoring the gang’s activities for months and had also developed a decryption tool. However, ALPHV has managed to regain control of their data leak site by utilizing their private keys and has launched a new Tor URL that the FBI is unable to take down.
