Ransomware Attack on UK Rail System – Spray and Pray or Targeted?
Northern Rail, one of the UK’s local railway systems covering the north of England, had its new self-service ticketing machines taken off-line following a ransomware attack last week.
Railways in the UK are operated under a licensed franchise system following the breakup of the state-owned British Rail, which was privatized gradually from 1994 to 1997. The rail infrastructure is owned and managed by Network Rail, described as an ‘arm’s length’ public body of the Department of Transport – but the rail services are operated by private companies under license to the government.
The government exercised its rights last year. Northern Rail was at the time operated by Arriva Rail North, but the service was taken over (or taken back) by the government after a series of problems including delays and cancellations to services.
Northern Rail is effectively government owned. The self-service, touchscreen, tablet-like ticketing machines (approximately 600+) were bought and paid for with government funds (around £17 million), and installed in about 420 stations across the network. This means that there is zero chance of any ransom being paid. If this were a targeted attack, the attackers would have known this.
The implication – which is just conjecture since no details have yet been released – is that this was a spray and pray attack which resulted in ransomware being delivered simply because it was possible. This in turn should remind SMEs that they are still subject to ransomware attacks even if they don’t consider themselves to be an attractive target.
The ticketing machines were provided by Flowbird Transport Intelligence, and installation was completed in May 2021. Northern Rail has provided no information on the problem. A travel alert on its website merely says, “We are currently experiencing technical difficulties with our self-service ticket machines which mean all have to be taken off-line. We are investigating the issue and are working hard…”
There was no disruption to rail services, and tickets could still be purchased manually at ticket offices.
Flowbird has provided more information to the BBC. It told the BBC that the problem was first identified through cyber monitoring systems. “We immediately instigated our major incident procedure in order to protect other parts of the network and our checks have shown there has been no compromise to any personal data,” a spokesperson said.
This is an important comment, since the ticketing machines accept card payment for the tickets they dispense. If accurate, it lends further credence to the idea that this was a commodity level ransomware attack, rather than a sophisticated targeted attack. (That idea will need to be revised if it turns out the attackers were resident longer than expected, that payment details were stolen, and the ransomware deployed to cover tracks.)
Andy Norton, European cyber risk officer at Armis, commented, “Given how recent the installation was, it would appear some basic security mechanisms are missing from the recent deployment. The ticketing system is likely Android based, and there is a small number of ransomware families that specifically target Android devices. Rail networks are considered critical infrastructure under the NIS legislation and so, a risk assessment of the new Ticketing system should have been undertaken and this risk assessment should have included the risk of cyberattack with mitigating controls.”