UNIT.City — місце, де люди працюють... КРАЩЕ! Обирай свій простір просто зараз 👉
Вікторія ГорбікThat's Life
27 March 2025, 08:33
2025-03-27
"The attackers deliberately chose Ukrzaliznytsia as a target." A cybersecurity expert analyzed the case of an attack after which online sales were restored only for the 5th day
On the morning of March 23, Ukrzaliznytsia reported a failure in its IT system. Later, it became known that it was a hacker attack on the resource. The restoration of online sales at Ukrzaliznytsia was announced only this morning, after 89 hours of non-stop work after an unprecedented attack on the railway’s key operating systems. Cybersecurity specialist Vyacheslav Davydenko analyzed this situation from a cybersecurity perspective and shared his thoughts on the matter. Here are his conclusions.
On the morning of March 23, Ukrzaliznytsia reported a failure in its IT system. Later, it became known that it was a hacker attack on the resource. The restoration of online sales at Ukrzaliznytsia was announced only this morning, after 89 hours of non-stop work after an unprecedented attack on the railway’s key operating systems. Cybersecurity specialist Vyacheslav Davydenko analyzed this situation from a cybersecurity perspective and shared his thoughts on the matter. Here are his conclusions.
Coincidence or not?
What was initially presented as a «technical failure» and then turned out to be a targeted cyberattack is a classic scenario. Attackers often try to disguise their actions to buy time and cause more damage. Targeted attacks are typically more complex and require more resources from attackers than random attacks.
This means that the attackers deliberately chose Ukrzaliznytsia as a target, which increases the level of danger. Because such attacks are carefully planned. Given the information that has already been made public, that the attack was «systemic, non-trivial and multi-level», it can be concluded that the attackers had a high level of training and used sophisticated tools. It can be assumed that the attackers used a combination of different methods to penetrate Ukrzaliznytsia’s systems. This may include phishing attacks, the use of malware, the exploitation of software vulnerabilities and other methods.
About the depth of penetration
The exact depth of penetration will obviously only be determined after a full investigation. However, given the scale of the attack, it can be assumed that the attackers were able to gain access to a significant part of Ukrzaliznytsia’s information systems. Given that the ticketing systems were affected, it is most likely that external servers or network segments responsible for public services were attacked. This allows the attackers to cause temporary failures without deeply invading critical internal systems.
There is also the possibility that attackers gained access to the internal network, which could indicate the exploitation of vulnerabilities in security systems or internal communications. This could potentially allow them to control workflows or access confidential data.
Attackers could have gained access to passengers' personal data, financial information, or other confidential data stored in Ukrzaliznytsia’s systems.
However, it cannot be ruled out that the attackers could have also tried to gain access to more critical systems. For example, systems that control train traffic, which could have serious consequences for safety. However, according to official reports, train traffic was kept stable.
About recovery
Given that Ukrzaliznytsia reported the «multi-level and complex» nature of the attack, recovery may take some time. Recovery from such an attack can take anywhere from a few days to a few weeks, or possibly longer. The recovery time depends on several factors:
Availability of backups: If Ukrzaliznytsia has a well-established backup system, basic functionality (such as ticket sales) can be restored sooner, perhaps in just a few days.
Scale of attack: If this was a complex attack with the introduction of permanent backdoors, the process of cleaning systems could take weeks.
Need for architectural changes: If serious vulnerabilities are discovered, it may be necessary to rebuild individual system components, which will take longer.
It is necessary not only to restore operability, but also to conduct a thorough analysis to prevent repeated attacks.
Possible consequences of intervention
Operational disruptions: There may be short-term service disruptions that will affect the regular operations of the railway company and cause inconvenience to customers.
Financial losses: Both direct and indirect — due to the need to restore systems, conduct security audits, and potential disclosure of confidential information.
Reputational damage: An incident can affect the trust of partners and the public, which is important for strategic enterprises.
Further threats: Attackers could use the gained access for further attacks or blackmail if they gained access to sensitive data. There is a potential threat to other connected systems if the attack was part of a larger campaign.
Instead of conclusions
This attack is a wake-up call. It shows that Ukraine’s critical infrastructure remains vulnerable to cyberattacks. Therefore, it is necessary to: strengthen the protection of critical facilities, conduct regular training for personnel, and improve cooperation between public and private organizations in the field of cybersecurity. Ukrzaliznytsia needs to invest in cybersecurity to prevent similar attacks in the future. It is important to understand that in times of war, cyberattacks on critical infrastructure are one of the methods of waging war by the aggressor country.
UPD. Cyberattack on Ukrzaliznytsia: restoration is needed not only for passenger but also for freight services. Backup infrastructure has been deployed, thorough diagnostics of backups is underway
