Ransomware gang claims it hit Canadian oil pipeline operator

The AlphV ransomware gang claims it has hit Canadian oil transmission operator Trans-Northern Pipeline, which operates pipelines in three provinces.

Brett Callow, a B.C.-based threat researcher with Emsisoft, first broke the news earlier today in a tweet on the X social media platform.

The gang claims 190 GB of data was recently stolen, all of which is now publicly available.

In an email statement, Trans-Northern said the company “experienced a cybersecurity incident in November 2023 impacting a limited number of internal computer systems. We have worked with third-party cybersecurity experts and the incident was quickly contained. We continue to safely operate our pipeline systems. We are aware of posts on the dark web claiming to contain company information, and we are investigating those claims.”

There were no unusual or unplanned interruptions of pipeline operations, said Lisa Dornan, the company’s communications team leader.

The company didn’t answer emailed questions about how much, if any, data was stolen, how much, if any, data was encrypted and if any information involved the data of employees or customers.

Trans-Northern operates two lines: An oil pipeline between Calgary and Edmonton, and a separate line that roughly runs from Nanticoke, Ont. through Toronto to Montreal.

Separately, AlphV also listed as a victim the Canadian electronics retail chain The Source, which is owned by BCE, the parent company of Bell Canada.

The AlphV/BlackCat ransomware gang has been in the crosshairs of governments for some time. In December, the U.S. Justice Department said it had disrupted the gang’s operations after the FBI created and distributed a decryption tool to over 500 victim organizations. The U.S. also seized several websites the group operates.

Threat researchers differ on whether ransomware victims are targeted, or end up being hit because crooks find application vulnerabilities or take advantage of stolen passwords. AlphV is a ransomware-as-a-service operation, which means it uses affiliates who specialize in finding ways to initially break into a corporate network.

Certainly pipelines are a juicy target for extortion. When the U.S. Colonial Pipeline was hit by ransomware in 2021, the unprepared company stopped all pipeline operations to contain the attack. According to CNN, the shutdown was also because the attack impacted Colonial’s ability to bill customers. Regardless of the reason, one result was temporary long lineups for gasoline on the east coast of the U.S..

Experts said at the time that one mistake in attacking a critical infrastructure provider was that it brought in the weight of U.S. authorities. While Colonial paid a US$4.5 million ransom to the DarkSide ransomware gang, about half was recovered by the U.S. government.

During a Congressional hearing, the head of Colonial Pipeline told U.S. senators that hackers were able to get into its IT system by stealing a single password to a legacy Virtual Private Network (VPN) that did not have multifactor authentication.