For the railway sector, ENISA identified threats ranging from ransomware (45%) to data-related threats (25%), primarily targeting IT systems such as passenger services, ticketing systems and mobile applications, causing service disruptions. Hacktivist groups are increasingly launching DDoS attacks against railway companies, largely as a result of Russia's invasion of Ukraine.
Most of the attacks observed targeted railway IT systems (passenger services, ticketing systems, mobile applications, display boards, etc.), causing disruptions due to the unavailability of these services. Examples include the ransomware attacks against Skånetrafiken (August 2021) and Ferrovie dello Stato Italiane (March 2022), which resulted in customers being unable to buy tickets after IT systems were infected. The only cases where OT systems and networks were affected were either when entire networks were affected or when mission-critical IT systems were unavailable.
Notable data thefts include the cases of OmniTRAX, MTA, Merseyrail, Norfolk Southern Railroads and Lokaltog A/S, where personnel and medical records were stolen. The OmniTRAX case is the first publicly known case of a dual extortion ransomware attack against a US freight rail operator.
In another case, Danish rail operator DSB's network experienced service disruptions (October 2022) due to an attack on one of its ICT service providers following an alleged DDoS attack. The incident reportedly affected the accessibility of a key safety-critical IT system, disrupting DSB's operations for several hours that day.
In an interesting case, hacktivists launched a ransomware attack on Belarus' state-owned railway company in an attempt to disrupt Russian troop movements (January 2022). To achieve this, the group used modified ransomware to bring down the railway system, encrypting servers, databases and workstations belonging to the Belarusian railway service.
DDoS attacks are on the rise in 2022, accounting for a fifth (20%) of attacks against the railway sector. This is primarily due to increased hacktivist activity following Russia's unprovoked invasion of Ukraine. Hacktivist elements with pro-Russian/anti-NATO sentiments have launched DDoS attacks against railway companies. Examples include pro-Russian hacker groups claiming responsibility for attacks on railway operator CFR Calatori (April 2022), Lithuanian Railways (June 2022), Latvian Passenger Railways SJSC (June 2022) and Estonian Railways (August 2022).
In terms of vulnerabilities (15%), two cases stand out. In December 2021, the Canadian transport agency Metrolinx temporarily shut down its website as a precautionary measure after being informed by the federal government of a cyber vulnerability. In January 2022, an anonymous hacker reported a vulnerability affecting the Swiss national railway system, potentially allowing access to customers' personal data, ENISA concludes its part of this report focused on rail transport.
