BlackCat/ALPHV Claims Attack on Trans-Northern Pipelines


February 14, 2024

World map

Trans-Northern Pipelines (TNPI) disclosed the company is investigating an attack that occurred last fall.

The attack was claimed by the infamous ALPHV/BlackCat ransomware gang and may include the exfiltration of 183GB of sensitive data that are alleged to have been published to the attacker’s leaks site.

"Trans-Northern Pipelines Inc. experienced a cybersecurity incident in November 2023 impacting a limited number of internal computer systems," BleepingComputer reports a spokesperson as saying.

"We have worked with third-party, cybersecurity experts and the incident was quickly contained. We continue to safely operate our pipeline systems. We are aware of posts on the dark web claiming to contain company information, and we are investigating those claims."

Takeaway: If confirmed, BlackCat/ALPHV may have targeted critical Linux systems. Recently more ransomware groups have been introducing Linux versions. Linux runs many of the most sensitive operations behind the scenes, including a good deal of most any nation's critical infrastructure.  

If these systems are disrupted by a ransomware attack, it has the potential to spur the catastrophic event. Unfortunately, this fact makes Linux even more alluring to today's ransomware gangs — many of which are affiliated with nation-states that have unlimited resources.  

Linux runs approximately 80% of Web servers and is the most common operating system for constrained, embedded, and IoT devices used in sectors such as energy and manufacturing. Linux also drives most government and military networks, financial and banking systems, and runs the backbone of the Internet.  

Linux also runs most organizations' database servers, file servers, and email servers. Linux unifies the IT stack and makes the network more easily managed. So, if an attacker gains access to a Linux environment, it has access to an organization's most critical systems and data.

Given its lack of market share for desktops and laptops, Linux security offerings tend to be an afterthought. In fact, most endpoint security solutions don't even cover Linux, so options are few. This makes defending Linux systems a major challenge.  

Attackers are increasing their attention on Linux servers for a few reasons — namely, disrupting Linux servers holds the potential to inflict a lot of pain, and attackers know that more pain translates to more dollars in their pockets from higher ransom demands.

The "always on, always available" nature of Linux systems paints a huge target for threat actors, and compromising Linux systems provides a strategic beachhead for moving laterally throughout a targeted organization's network.

And Linux is open source, which means attackers have a great deal more insight into how Linux systems are running, and have a head start in customizing attacks. The targeting of Linux systems has the potential to cause serious disruptions far beyond the scale of what we have seen in any ransomware attacks to date.  

The consequences of not redoubling our efforts to defend Linux systems could prove catastrophic, but we can reduce the threat of a major disruption and its potential impact by preparing now.  

Specific measures to ensure an organization is resilient after a ransomware attack will have to come from the organizations themselves, and they should not hold out hope that the government will be able to offer anything in the way of preventative protection beyond some symbolic gestures. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.