{
	"id": "7b06d1a9-be34-434f-8f7c-3afe1b08800a",
	"created_at": "2026-04-06T00:10:21.946457Z",
	"updated_at": "2026-04-10T13:11:39.97074Z",
	"deleted_at": null,
	"sha1_hash": "0b0631f7236fe1b181166fd3d6e2b90f3ecc632d",
	"title": "Trans-Northern Pipelines investigating ALPHV ransomware attack claims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2878712,
	"plain_text": "Trans-Northern Pipelines investigating ALPHV ransomware attack\r\nclaims\r\nBy Sergiu Gatlan\r\nPublished: 2024-02-14 · Archived: 2026-04-05 22:45:32 UTC\r\nTrans-Northern Pipelines (TNPI) has confirmed its internal network was breached in November 2023 and that it's now\r\ninvestigating claims of data theft made by the ALPHV/BlackCat ransomware gang.\r\nTNPI operates 850 kilometers (528 miles) of pipeline in Ontario-Quebec and 320 kilometers (198 miles) in Alberta,\r\ntransporting 221,300 barrels (35.200m3) of refined petroleum products daily.\r\nBoth pipeline systems are underground and transport gasoline, diesel fuel, aviation fuel, and heating fuel from refineries to\r\ndistribution terminals.\r\nhttps://www.bleepingcomputer.com/news/security/trans-northern-pipelines-investigating-alphv-ransomware-attack-claims/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trans-northern-pipelines-investigating-alphv-ransomware-attack-claims/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Trans-Northern Pipelines Inc. experienced a cybersecurity incident in November 2023 impacting a limited number of\r\ninternal computer systems,\" TNPI Communications Team Lead Lisa Dornan told BleepingComputer.\r\n\"We have worked with third-party, cybersecurity experts and the incident was quickly contained. We continue to safely\r\noperate our pipeline systems.\r\n\"We are aware of posts on the dark web claiming to contain company information, and we are investigating those claims.\"\r\nWhile ALPHV's claims were not directly mentioned by Dornan when asked by BleepingComputer for confirmation, the\r\nransomware gang says its operators stole 183GB of documents from the company's network.\r\nThe allegedly stolen files have now been published on ALPHV's data leak site, and the ransomware group has also added\r\ncontact information for several TNPI employees to the same leak page.\r\nTNPI entry on ALPHV's leak site (BleepingComputer)\r\nALPHV emerged over two years ago, in November 2021, and is believed to be a rebrand of the DarkSide and BlackMatter\r\nransomware operations.\r\nInitially tracked as DarkSide, the operation gained notoriety after their Colonial Pipeline attack, which prompted extensive\r\ninvestigations by law enforcement agencies worldwide and led to the seizure of their infrastructure and the operation's\r\nshutdown.\r\nMonths later, the ransomware group returned under the BlackMatter name, which again shut down in November 2021 and\r\nresurfaced as ALPHV/BlackCat in February 2022.\r\nThe FBI linked this ransomware gang to more than 60 breaches against organizations worldwide during its first four months\r\nof activity, between November 2021 through March 2022.\r\nALPHV amassed over $300 million in ransom payments from over 1,000 victims worldwide until September 2023,\r\naccording to the Federal Bureau of Investigation (FBI).\r\n\"ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the United States and\r\napproximately 250 outside the United States—, demanded over $500 million, and received nearly $300 million in ransom\r\npayments,\" the FBI said in December.\r\nThe FBI disrupted ALPHV's operation in December after breaching the gangs' servers and temporarily taking down its Tor\r\nnegotiation and data leak websites after months of monitoring their activities and creating a decryption tool.\r\nThe ransomware gang has since \"unseized\" their data leak site using the private keys they still owned and launched a new\r\nTor URL the FBI can't take down.\r\nhttps://www.bleepingcomputer.com/news/security/trans-northern-pipelines-investigating-alphv-ransomware-attack-claims/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trans-northern-pipelines-investigating-alphv-ransomware-attack-claims/\r\nhttps://www.bleepingcomputer.com/news/security/trans-northern-pipelines-investigating-alphv-ransomware-attack-claims/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/trans-northern-pipelines-investigating-alphv-ransomware-attack-claims/"
	],
	"report_names": [
		"trans-northern-pipelines-investigating-alphv-ransomware-attack-claims"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434221,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b0631f7236fe1b181166fd3d6e2b90f3ecc632d.pdf",
		"text": "https://archive.orkl.eu/0b0631f7236fe1b181166fd3d6e2b90f3ecc632d.txt",
		"img": "https://archive.orkl.eu/0b0631f7236fe1b181166fd3d6e2b90f3ecc632d.jpg"
	}
}