NTC Vulkan: The rail cyber threat just got real

Leaked documents from a Russian cyber security contractor show that malign nation states are actively developing the capability to cause rail accidents. Our defences must be equal to the challenge.

An escalating threat

In the last seven years the threat to the safety of critical rail infrastructure has steadily escalated. We’ve seen:

• Nation state attacks on civilian infrastructure, when the notorious Russian Sandworm hacker group attacked and shut down Ukrainian power networks in 2016.

• Criminal ransomware affecting rail operations when the Wannacry virus impacted Deutsche Bahn’s operations in 2017, and when the Danish Railways were temporarily shut following an attack on a third party IT provider

In the last year the Russian invasion of Ukraine has seen repeated, vicious and fatal attacks on civilian rail infrastructure. And then, on 8th October last year, ‘sabotage’ was cited as the reason for an hours-long stoppage of all rail traffic in the north of Germany, after rail cables were cut. Most fingers of suspicion once again pointed at Russia.

Nevertheless, despite this pattern of escalation, there has - until now - been little or no evidence of the intent of nation states to attack civilian rail infrastructure in order to cause public harm.

Well, now there is some evidence: a smoking gun, of sorts.

NTC Vulkan

A number of documents dated between 2016 and 2020 were recently leaked to various media outlets from a company called NTC Vulkan: an IT contractor based in Moscow, which works on contracts with Russian government agencies. There are some indications that the customer was the notorious group 74455, a cyberwarfare unit of Russia's military intelligence service, nicknamed ‘Sandworm.’ The documents offer a snapshot of the cyber security capability the Russian state has been seeking to develop in recent years.

The documents specify a number of related IT systems, which are intended to work together. The tools can be used to systematically shape social media, collect and map large amounts of infrastructure data and then to launch automated, coordinated cyber attacks.

A suite of tools

One of the tendered projects - Krystal 2B - is for a training platform that simulates attacks on critical national infrastructure for both offensive and defensive reasons. The tool simulates ARP-spoofing attacks, on critical infrastructure. Put simply, this is where a hacker tricks a computer into sending sensitive information to them instead of to its intended recipient, and then is able to gain access to internal information and communications.

Another project, Amesit, includes a simulated environment for rail and pipeline control systems to plan and visualise the effects of cyber attacks. This clearly establishes these industries as being amongst Russia’s targets of interest for attacks. 

The cybersecurity firm Mandiant reviewed selections of the documents. Its vice president for intelligence analysis concluded that:

These documents suggest that Russia sees attacks on civilian critical infrastructure and social media manipulation as one and the same mission, which is essentially an attack on the enemy’s will to fight.

The document specifies the control systems that the attacker should be able to affect and the physical impacts it should seek to generate. Which brings us to the key concern for rail systems: Mandiant’s report also notes that the capabilities being sought include:

manipulating the speed of trains, creating unauthorized track transfers, causing car traffic barriers to fail…

Their conclusion is that this is done:

with the explicit objective of causing train collisions and accidents. 

What does this mean in practice?

There is a natural and healthy tendency to treat speculation about risk with a sceptical eye - particularly when a theorised risk involves the deliberate intent to harm people. The possibility of such attacks is an unpleasant thought, and not one that many would naturally want to entertain without evidence. For both of those reasons such risks can often be readily dismissed.

However the latest revelations are a material warning that demands a reset of perspective. All indications are that we are trapped in a race: Hostile nations are increasingly seeing civilian rail infrastructure as a military target and feverishly looking for gaps in our systems. The only acceptable response is to work even harder to ensure that any gaps in our defences are closed and kept closed.

I’m keen to build the network for Tech Safe Transport. If you know anyone who is interested in the safety of modern transport technology, and who likes a thought provoking read every few weeks, please do share a link with them.

Thanks for reading

All views here are my own. Please feel free to feed back any thoughts or comments and please do feel free to drop me an e-mail on george.bearfield@ntlworld.com.

My particular area of professional interest is practical risk management and assurance of new technology. I’m always keen to engage on interesting projects or research in this area.

In my last post I mentioned that Libusa has just launched an e-learning course I have developed on ‘Rail Software Safety Assurance as a Client.’ The reception to this course has been excellent so far - if you’d like to know more, or arrange a demo - please email academy@libusa.co.uk.