Cyber attacks continue to hit critical infrastructure, exposing vulnerabilities in oil, water, healthcare sectors

Recent cyber attacks targeting critical infrastructure facilities have resulted in significant data breaches, impacting operations at a Canadian oil pipeline company, a U.K.-based water company, and a hospital that is entering its third week of limited communication with patients after its network was hit with a cyberattack. These incidents reveal how sophisticated cybercriminals exploit weaknesses in security systems to disrupt services, steal sensitive information, or demand ransom. 

Clearing these attacks causes immediate operational setbacks that expose the potential for long-term damage to public trust and safety. Such incidents serve as a stark reminder of the urgency to safeguard critical infrastructure against cyber threats, highlighting the need to bolster cybersecurity defenses and ensure public safety and confidence.

The ALPHV/BlackCat ransomware group is allegedly behind a cyberattack on Canada’s Trans-Northern Pipelines, during which they reportedly extracted 190 GB of data from the oil distribution firm. Furthermore, Southern Water has alerted its customers that data related to 5 to 10 percent of its customer base was compromised in a cyber attack. Meanwhile, the Lurie Children’s Hospital is entering its third week of limited communication with patients after its network was hit with a cyberattack.

Confirming Wednesday that its internal network was breached in November 2023, Trans-Northern Pipelines (TNPI) said that it’s now investigating claims of data theft made by the ALPHV/BlackCat ransomware gang. The latest move comes as ALPHV added Trans-Northern to its blackmail site on Tuesday and said that ‘all important information in the amount of 190GB was stolen. All files are public, Good luck.’ 

“Trans-Northern Pipelines Inc. experienced a cybersecurity incident in November 2023 impacting a limited number of internal computer systems,” Lisa Dornan, TNPI Communications Team Lead told BleepingComputer. “We have worked with third-party, cybersecurity experts, and the incident was quickly contained. We continue to safely operate our pipeline systems. We are aware of posts on the dark web claiming to contain company information, and we are investigating those claims.”

Trans-Northern operates regulated pipelines to transport refined petroleum products such as gasoline, diesel, aviation, and heating fuel, used by Canadian businesses and consumers every day. These pipelines connect refineries in Edmonton to Calgary, including the Calgary International Airport; and refineries in Nanticoke, Ontario, and Montreal to the Greater Toronto Area (GTA), with lateral pipelines to Ottawa as well as to Pearson International Airport and Pierre-Elliot Trudeau International Airport.

The attack on the oil pipeline company serves as a reminder to the critical infrastructure sector of the May 2021 ransomware cyber attack on Colonial Pipeline, which impacted computerized equipment managing the pipeline. At the time, Colonial Pipeline halted all pipeline operations to contain the attack. 

Overseen by the U.S. FBI (Federal Bureau of Investigation), the company paid the amount that was asked by the hacker group (75 bitcoin or US$4.4 million) within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.

​In December, the U.S. Department of Justice made a significant announcement on Tuesday regarding its disruption campaign against the Blackcat ransomware group, also known as ALPHV or Noberus. The group has demonstrated a high level of proficiency in targeting and compromising over 1,000 computer networks, resulting in significant global repercussions. Particularly concerning is their deliberate focus on infiltrating networks that support critical infrastructure within the U.S.

In its update this week, Southern Water announced Monday that “data from a limited part of Southern Water’s server estate had been stolen and was at risk following an illegal intrusion into our IT systems. This arose from our ongoing investigation into suspicious activity, as detailed in our statement on 23 January 2024.”

It added that “Based on our forensic investigations so far, which are ongoing, we are notifying in the order of 5 to 10 percent of our customer base to let them know that their personal data has been impacted. We are also notifying all of our current employees and some former employees.”

Additionally, these notifications include security advice, as well as guidance on recommended precautionary steps and details of the support we are offering them. “This support includes enhanced Experian credit monitoring, free of charge, for the next 12 months. The service provides active monitoring which can detect and help prevent fraudulent misuse of personal information.”

Southern Water also disclosed that “We continue to work with our expert technical advisers to confirm whose data is at risk. Our initial assessment is that this is the case for some of our customers and current and former employees.”

The Lurie Children’s Hospital’s website continues to be down Wednesday morning, as even non-Lurie health providers that use its network are dealing with limited access to patients’ medical history, lab results, and other crucial information needed for care decisions, WBEZ reports.

There have also been reports that the FBI is investigating a cyberattack on Lurie Children’s Hospital that still has the Chicago provider’s systems offline and elective surgeries and procedures canceled until further notice. While the hospital has not revealed the type or nature of the attack, which occurred on January 31, it did confirm that a ‘known criminal threat actor’ breached its network.

On Tuesday, industrial cybersecurity company Dragos disclosed that it has been tracking activity by the Voltzite threat group, which overlaps with Volt Typhoon, since early 2023. The group has been observed performing reconnaissance and enumeration of multiple U.S.-based electric companies since early 2023, and since then has targeted emergency management services, telecommunications, satellite services, and the defense industrial base. 

Last week, the U.S. CISA (Cybersecurity and Infrastructure Security Agency) released a report detailing some of the techniques, tools, and infrastructure used by Voltzite over the previous year. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.