Cyber Incident Victim: Trans-Northern Pipelines Inc.
Date:
Nov 2023
Location:
Canada
Summary
Trans-Northern Pipelines experienced a cybersecurity breach impacting internal systems, which was contained with third-party assistance while maintaining pipeline operations. The ALPHV/BlackCat ransomware group claimed responsibility, alleging theft of 183GB of company documents and leaking employee contact information. This gang, linked to previous DarkSide and BlackMatter operations, has a history of high-profile attacks and extorted significant global ransom payments before FBI disruptions. The incident exposed sensitive data and operational vulnerabilities despite the company's containment efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In November 2023, Trans-Northern Pipelines Inc. (TNPI) experienced a cybersecurity breach impacting a limited number of internal computer systems. The company, which operates 850 kilometers of pipeline in Ontario-Quebec and 320 kilometers in Alberta transporting refined petroleum products, confirmed the incident after ALPHV/BlackCat ransomware gang claimed responsibility for data theft. TNPI Communications Team Lead Lisa Dornan stated the organization engaged third-party cybersecurity experts to contain the incident swiftly while maintaining pipeline operations. Although Dornan did not explicitly name ALPHV in her statement to BleepingComputer, the ransomware group asserted it exfiltrated 183GB of company documents and published them on its dark web leak site alongside contact details of TNPI employees. The breach did not disrupt physical pipeline operations, with TNPI emphasizing continued safe transport of gasoline, diesel, aviation fuel, and heating oil across its underground infrastructure.
ALPHV/BlackCat, identified by the FBI as a rebrand of the DarkSide and BlackMatter operations, has been active since November 2021 following infrastructure seizures of its predecessor groups. The gang gained notoriety through high-profile attacks including the Colonial Pipeline incident, with law enforcement attributing over 1,000 global compromises and $300 million in ransom payments to the group by September 2023. Federal investigators disrupted ALPHV’s operations in December 2023 by breaching its servers and temporarily taking down Tor negotiation sites after months of monitoring, though the gang later restored its leak portal using retained private keys. TNPI’s investigation into the authenticity of leaked data claims remained ongoing as of February 2024, with no public confirmation of data validity or operational impacts beyond the initial network intrusion. The FBI had previously warned that ALPHV targeted critical infrastructure entities across at least 34 countries during its operational history.