Ukraine & Belarusia: The Next Steps in the Rail Cyber War

Russia's invasion of Ukraine has exposed an arms race that is now underway in the use of cyber capabilities to attack rail networks.

This fortnight’s post is unfortunately a grim one, but this is necessarily so in the fraught times in which we find ourselves.

Cyber Partisans Hit the Rail Network

In January, as rumblings about Russia’s invasion of Ukraine began, a group calling themselves Belarusian Cyber-Partisans carried out a ransomware attack on the Belarusian state railway network, encrypting the data on a number of its servers. They posted screenshots online to illustrate the level of access they had obtained. The group claimed to have crippled many of the railway’s ‘automated systems’ and that they had the capability to alter the function of the railway's signalling system, (thankfully the automatic route setting software rather than the underlying safety interlocking which ultimately ensures safety).

The attack was timed to hamper the transfer of Russian troops into Belarus for military exercises. The group made two key demands: the release of fifty political prisoners and that the railway refuse to transport Russian military forces that could be used for an attack on Ukraine. There was evidence that significant disruption was caused. Following the invasion, the group announced a further cyberattack on 27 February, as a response to Russian troops travelling from Belarus to Ukraine. Belarusian railway websites were confirmed to be down for some time. Social media showed long queues for tickets several days after the incident.

This attack was novel from a threat perspective. The tech media outlet Wired quoted Brett Callow, a ransmoware expert, as saying:

This is the first time I can recall non-state actors having deployed ransomware purely for political objectives…I’m surprised it didn’t happen a long, long time ago.

The Cyber Partisans are a known group of disaffected IT engineers, who have sought to fight back against Belarussian president Alexander Lukashenko following the 2020 Belarusian elections which international observiers declared were not ‘free or fair’. The Belarusian railway itself was ripe for compromise by ‘insider threat’ following a political purge of railway staff. Significant physical sabotage of the network has also now been seen, and as a result the function of Belarusia’s railway is reportedly seriously impaired.

Russian Counter Action

Separately the Financial Times reported that US cyber security experts had blunted the potential for Russian attacks as part of their pre-emptive cyber defence work for Ukraine. One particularly pernicious type of malware was found to have been planted on the Ukrainian Railway’s servers: “wiperware.” Unlike ransomware, Trojans, and other common malware, “wiperware” is not focused on theft or financial gain. It is purely destructive and specifically designed to damage target systems by erasing user data and programs. If the malware had remained undiscovered and was triggered it could have shut the railway down. This would have signficantly exacerbated the humanitarian disaster there: In just the first ten days of the Russian invasion, nearly 1 million Ukrainian civilians escaped to safety on the rail network. The presence of this malware supports what has long been suspected. Criminal gangs are working more and more closely with rogue nation states. The intelligence that has been gathered through many years of criminal extortion is now primed to use for ruthless military advantage.

Escalation and Spread of Capabilities

Regardless of the validity of the motives of any given attack all such attacks lead to escalation. This increases the risk for other railways, in particular those using similar technologies. Previous major cyber attacks on 'Operating Technology’, like Stuxnet and NotPetya led to both the unintended spread of cyber viruses and the intentional copying of techniques by new perpetrators. Rail companies will do well to examine the recent incidents in Ukraine and Belarus in detail, as real world examples of credible attacks to rail that will be repeated.

Many were surprised that Russia did not launch a major coordinated cyber campaign at the outset of its invasion. But with Putin’s kinetic war grinding to a halt and extreme Western sanctions in place, large scale retaliatory cyber attacks are expected. On Monday US President Joe Biden told US business executives it is their “patriotic obligation” to strengthen their digital defences:

Today my administration issued new warnings that based on evolving intelligence Russia may be planning a cyber attack against us. The magnitude of Russian cyber capacity is fairly consequential, and it’s coming.

It’s a warning all companies responsible for critical infrastructure - including rail - would be very well advised to listen to. As if to hammer the point home, almost exactly as Biden spoke the press was speculating that another Russian cyber attack had occurred, this time on Italian State railways.

The next issue

Please do feed back your thoughts in the comments, on linkedin or on Twitter. Posts are biweekly for 2022. To make sure you don’t miss any of them please subscribe below:

I’m very keen to build the network to engage on these important topics, so if you know anyone who is interested in the safety of modern transport technology please do share a link with them.

Thanks for reading

All views are my own. This is not a political blog, however to be 100% clear: Slava Ukraini!

Please feel free to drop me an e-mail on george.bearfield@ntlworld.com: My particular area of professional and research interest is practical risk and assurance of new technology. I’m always keen to engage on interesting projects in this area. See you again in two weeks time.