"Ukrzaliznytsia" is suffering from a massive cyberattack on railway services for the second day. dev.ua analyzed the chronology of hacker attacks on world railways over the past decade.
"Ukrzaliznytsia" is suffering from a massive cyberattack on railway services for the second day. dev.ua analyzed the chronology of hacker attacks on world railways over the past decade.
Rail logistics remains one of the key sectors in the modern world, and such attacks are far from the first time. Czech Transport Minister Martin Kupka said that Russia has carried out “thousands” of cyberattacks on European railways in an attempt to destabilize the EU and undermine critical infrastructure.
According to a 2023 report by the European Cybersecurity Agency (ENISA), Europe's rail infrastructure faces threats from ransomware, DDoS attacks and data theft attempts, particularly in ticketing systems and mobile applications.
On November 26, 2016, during Thanksgiving, the San Francisco Municipal Transportation Agency, sometimes referred to as Muni or SFMTA, was the victim of a ransomware attack that affected internal computer systems, including email and ticketing systems.
Hackers demanded 100 bitcoins ($87,000) from the SFMTA to restore functionality. On Black Friday, SFMTA employees saw a cryptic message on their work computers: “You have been hacked, all data is encrypted” and an email promising to restore access after payment. The SFMTA refused to pay the ransom and restored its systems on its own.
The malware infected about 2,000 of SFTMA's 8,000 computer systems and gained access to physical ticket machines, forcing the city to offer free rides over Thanksgiving weekend and forcing bus drivers to use handwritten routes.
In December 2016, Ukrzaliznytsia was in turmoil like never before. The conflict between the new and old management led to a DDOS attack. The attack was linked to the launch of an automatic freight car distribution system, which was supposed to eliminate the corruption component.
Former head of Ukrzaliznytsia Wojciech Balchun even had to cancel a business trip to Vienna and a meeting with the management of the Austrian railway due to the situation at Ukrzaliznytsia.
The then Minister of Infrastructure Volodymyr Omelyan reported that the DDOS attack on Ukrzaliznytsia was carried out from the territory of Ukraine at the request of an unidentified person from St. Petersburg. As a result of the attack, the online ticket purchase service did not work for 24 hours.
On June 27, Ukraine was hit by a large-scale cyberattack. In addition to Ukrzaliznytsia, the following were also affected: the government of Ukraine, Ukrposhta, the Kyiv Metro, Boryspil International Airport, Kharkiv and Odessa airports, the Chernobyl Nuclear Power Plant, as well as a number of media outlets, banks, and commercial structures.
The attack targeted computers that used MEDoc software and accounting systems connected to MEDoc.
The Petya.A virus encrypted data on a computer and displayed a message on the screen demanding a transfer of 0.9 bitcoins to unlock it. The infection occurred through phishing emails. According to the British National Computer Security Center (NCSC), the attack was carried out by a group of Russian military hackers called Fancy Bear.
On June 18, 2021, the National Security and Defense Council imposed sanctions against hackers involved in the development of the virus, in particular against four legal entities and six individuals associated with the country's special services 404. Ukrzaliznytsia reported that the previously acquired experience in December 2016 helped them quickly respond to a new cyberattack.
In May 2017, another notorious WannaCry cyberattack swept the world. German state-owned railway operator Deutsche Bahn fell victim to WannaCry, which disrupted its digital passenger information systems.
The attack mainly affected electronic signs at stations, which are used to announce train arrival and departure times. The hacked signs broadcast a ransom demand in Bitcoin, with threats to double the amount if payment is not made within three days.
Deutsche Bahn quickly resolved the problem with the broken displays, restoring normal operations within a few hours. Trains continued to run without interruption, and no safety violations were reported.
During this period, the railway infrastructure was hit by several cyberattacks. In the Czech Republic and Germany, there were several minor incidents that did not affect rail services. In Belgium, an attack disrupted train traffic but was also quickly neutralized.
Neutral Switzerland suffered the most. The IT infrastructure of the local railway manufacturer Stadler was subjected to a large-scale attack. The attackers gained access to 10,000 sensitive internal data, mainly bank contracts and loans, as well as a tax agreement with local authorities. After Stadler management refused to pay the ransom, part of this data was published on Twitter.
In January 2022, an anonymous hacker discovered a vulnerability in the Swiss Federal Railways (SFR) system that gave access to the personal data of about 500,000 passengers. Among the compromised information were names, dates of birth, travel routes, and ticket classes purchased.
The hacker reported the problem to Swiss TV channel SRF, emphasizing that no special IT skills are required to exploit this vulnerability.
With the beginning of Russia's full-scale invasion of Ukraine, various hacker groups became more active, resisting the occupier.
The Belarusian group of anonymous hacker activists "Cyberpartisans" announced the successful hacking of the Belarusian railway system. Through its Telegram channel, the group reported that the cyberattack, codenamed "Hell", encrypted the main servers, databases and workstations of the Belarusian Railways (BelZhD), with the aim of slowing down and disrupting transport. It is noted that data backups were destroyed, which makes it difficult to restore the system.
The cyber-guerrillas demanded that access to the servers be restored only if 50 political prisoners were released and the transfer of Russian troops to Belarus stopped. The Belarusian authorities did not react to the attack.
The pro-Russian hacker group Killnet claimed responsibility for the 2022 attacks on Romanian state railway operator CFR Calatori in April, Lithuanian Railways and Latvian operator SJSC in June, and Estonian Railways in August.
The attack on Romania took place immediately after the visit of the Romanian delegation to Kyiv, where they announced their support for Kyiv in the war against Russia, including with weapons. In response, the National Cybersecurity Directorate of Romania published on its official website a list of 266 IP addresses involved in the DDoS attacks on April 29. We remind you that dev.ua recently spoke with the Director General of the Directorate, Mr. Dan Cimpean.
Killnet carried out a DDoS cyberattack on Lithuania, claiming it was in response to the Lithuanian government's decision to block access to sanctioned supplies to the neighboring Russian territory of Kaliningrad.
A server outage at a third-party IT service provider has brought train services in Denmark to a complete halt. The cyberattack targeted solution provider Supeo, which developed the Digital Backpack 2 software used by train drivers.
Without access to the software, Danish train drivers were effectively left blind, as critical information such as speed limits and railway maintenance is delivered via the Supeo app.
The Italian State Railways (FS) and its subsidiaries Trenitalia and Italian Rail Network (RFI) have been hit by a large-scale ransomware attack, seriously affecting ticketing systems, passenger information boards and internal communications.
Cryptolocker malware, distributed via email, encrypted the company's data. The hackers demanded a ransom of $5 million, threatening to double the amount to $10 million.
Rail freight services were temporarily suspended for 24 hours, not only in Italy. FS, Metrans Rail of the Czech Republic, HUPAC of Switzerland and Lineas of Belgium were reportedly affected. It was also impossible to cross the border with Austria and Slovenia for some time.
An attack on the Polish national railway's communications network stopped 20 trains across the country and paralyzed traffic for several hours over the weekend.
The suspects, Polish citizens aged 24 and 29, were arrested near the border with Belarus. Radio RMF reported that one of the suspects is likely a police officer in Białystok.
The saboteurs were able to paralyze train traffic — both freight and passenger — across the country by simply sending “stop” commands to the trains they targeted over the radio frequency. The attackers also broadcast the Russian national anthem and excerpts of a speech by Russian dictator Vladimir Putin on the carriages. Polish trains use a radio system that lacks encryption or authentication, making them vulnerable to such hacks.
Üstra, the Hanover transport company, faced serious consequences from a hacker attack that occurred on March 31, 2023. Electronic displays at bus stops did not work for several days, sales of the new type of Deutschland-Ticket transport ticket were suspended a few hours after its launch, and the company's telephone and electronic services were also down.
According to Hannoversche Allgemeine (HAZ), hackers penetrated IT systems via an infected email attachment that encrypts files.
In December 2023, one of the world's largest railway networks fell victim to a hacker attack. As in previous cases, hackers hacked the official website of the Indian Railways and demanded a ransom in Bitcoin. After some time, an attacker with the nickname ShadowHacker announced on Telegram that he had 34 million records of Indian Railways users.
According to the hacker, the collected data includes various details such as names, email addresses, and phone numbers, and even several government email addresses. The attacker claimed to have collected over 25 million phone numbers and other personal information.
Along with personal data, various data about users' travel history, as well as information about the train and destination, were stolen.
On January 18, 2024, Belgium's national railway company was hit by a massive cyberattack. The incident caused widespread disruption to the company's online services, affecting both its website and mobile app, as well as information screens at train stations across the country.
Bart Krolz, a spokesman for the rail company, explained that the website received a surge of requests around 2 a.m., causing it to crash due to the high volume of traffic. The company immediately deactivated the website to prevent further damage and potential data leaks.
The timing of the attack was particularly problematic for passengers and travellers in Belgium as it coincided with the aftermath of a severe snowstorm that had caused significant disruption to the rail network the day before.
Ukrainian influence was also involved. We previously wrote about a large-scale cyberattack on the Russian company RegionTransService, which is engaged in the maintenance of freight cars and cooperates with the Russian army.
The attack destroyed all servers, disabled workstations, and erased data backups. A total of 78 servers and 211 workstations were affected.
Unfortunately, the list of railway infrastructure is closed by another cyberattack on Ukrzaliznytsia. The system has been down since Sunday, and online ticket sales are still unavailable. “All Ukrzaliznytsia’s IT forces are still focused on recovering from a large-scale server failure,” the carrier said in a statement. Follow the situation here .
As we can see, the situation with Ukrzaliznytsia is far from unique in the world of cyber threats. In general, the European Cybersecurity Agency notes that ransomware is the main threat to the railway sector, accounting for 45% of cyber attacks. Attackers include both foreign hostile intelligence services trying to disrupt logistics chains and hacker groups seeking to profit from passengers' personal data.
