AlphV claims hit on Canada’s Trans-Northern Pipelines

Dive Brief:

Trans-Northern Pipelines confirmed it’s aware of and responding to the AlphV ransomware group’s alleged attack against its systems. Operations are not currently impacted and an investigation is underway, a company spokesperson said Tuesday.
“We did experience a cybersecurity incident in November of 2023 that impacted some of our internal systems, but we’ve continued to safely operate our pipeline systems themselves,” the spokesperson told Cybersecurity Dive. “We are aware of those posts and the claims, and we are looking into them.”
AlphV is a prolific ransomware group that reemerged mere hours after law enforcement took down its infrastructure in December. The group claims it stole and leaked 183 GB of the pipeline operator’s data, according to a Tuesday post on its data leak site.

Dive Insight:

Links between the November cyberattack against Trans-Northern Pipelines and AlphV’s threats against the company on its data leak site are unconfirmed, but ransomware groups typically engage with companies for weeks or months in a bid to extract an extortion demand before leaking stolen data.

Trans-Northern Pipelines operates two pipeline systems in Canada — a 530-mile pipeline linking Montreal to Ottawa, Ontario, and Toronto, and a 200-mile pipeline from Edmonton to Calgary, Alberta. The underground pipelines transport a combined 221,300 barrels of refined fuel daily, according to the company.

Trans-Northern Pipeline’s spokesperson said they weren’t aware of a ransom demand connected to the November incident or AlphV’s threats.

The breach and resulting impact on the pipeline operator’s internal systems was limited and contained with assistance from external cybersecurity experts by the end of 2023, the spokesperson said. “We continued to safely operate our pipeline system as we do now as well.”

The November cyberattack also impacted the pipeline operator’s ability to respond to a federal regulator’s inquiry into an unrelated matter involving unauthorized on-the-ground activity on one of its pipelines.

The pipeline operator said its internal systems, including communication with external parties, was constrained after the November cyberattack, and delayed its response to Canada Energy Regulator.

Trans-Northern Pipelines said the cybersecurity incident hindered its ability to “retrieve files and exchange data electronically with consultants and vendors, delaying the generation of the engineering assessment reports and resulting in hard-copy file exchanges, which took additional time,” Canada Energy Regulator said in a December report.

AlphV is affiliated with the BlackMatter ransomware tool, which was linked to the DarkSide ransomware group responsible for the 2021 attack against Colonial Pipeline, according to Brett Callow, threat analyst at Emsisoft. That infamous attack disrupted gas supply on the East Coast for days.

“The East Coast of the U.S. came within days of running out of fuel after the attack of Colonial Pipeline,” Callow said. “The fact that pipelines and other critical infrastructure remain vulnerable to cyberattacks is deeply concerning and, until that fragility is fixed, the possibility of a catastrophic and massively disruptive attack remains.”