All aboard! How hackers are moving in on the transit sector
June 22, 2020
Many governments have designated their public transportation systems as part of their national critical infrastructure—vital to a country’s economy and closely identified with its prestige. As such, these systems can face a range of threats from both financially and politically motivated cyberthreat actors, including: disruptive and destructive attacks, particularly ransomware attacks; cyber-physical threats that could endanger people or property; supply chain risks; fraud; vulnerabilities associated with the integration of operational technologies (OT) and Internet of Things (IoT) technologies; and cyber-enabled information operations that could discredit an organization or cause panic. Unfortunately, a blurring of boundaries between criminal activity, espionage and hacktivism can make it difficult to identify threat actors.
With this blog, we intend to help intelligence analysts and information security specialists in the transit field better inform their own analyses on developing threat situations, drawing on iDefense insight to aid investigations, risk assessments, attribution and mitigation efforts; as well as help management and executive leadership assess their security posture and the risks associated with these threats to make operational and policy decisions.
As outlined below, threats to the transit sector value chain are many.
Many transit systems are critical infrastructure providers and, as such, could become targets for both politically and financially motivated cyberthreat activity. In fact, geopolitically motivated threat actors have targeted transportation systems in the past as part of broader attempts to discredit or hobble a country or region. For example, SANDFISH (reportedly a Russian military hacker group) allegedly carried out attacks against Ukrainian transportation entities. In both the December 2016 Crashoverride/Industroyer  attack and the June 2017 Petya.A/NotPetya pseudo-ransomware attack, SANDFISH disrupted Ukraine’s railroad company and its Ministry of Infrastructure. Similarly, the October 2017 BadRabbit attack, which was also attributed to SANDFISH, disrupted Kyiv's metro rail system, the Odessa International Airport, and the Ministry of Infrastructure of Ukraine.
Since 2018, ransomware operators have increasingly targeted local governments, services and infrastructure. Incidents from late 2019 and early 2020 affected companies in transportation and related sectors:
Criminals have likely targeted critical infrastructure providers because their operators understand their services to be essential, thus making them likely to pay ransoms. Similarly, several U.S. municipalities, hospitals and other organizations providing essential public services have chosen to pay the ransom.
Some ransomware threat actors have added a new level of extortion, stealing sensitive information from their victims and threatening to publicize or sell the data if ransoms are not paid. At least one such attack affected the transportation sector: An account associated with the BitPaymer ransomware claimed to have breached a Midwestern freight company and warned that it exfiltrated company data, implying that it might sell or leak the data if the company failed to pay the ransom. Whether they paid has not been publicly reported. RailWorks, a North American rail infrastructure provider, reported in January 2020 that ransomware actors may have gained access to personal employee information. For more on this trend, read the Accenture Cyber Defense blog “Extortion Entrepreneurs: How cybercriminals are bullying businesses.”
Criminals deploy tools and tactics such as commodity information stealers, bank Trojans and business e-mail compromises (BEC) to attempt to steal funds or exfiltrate personally identifiable information (PII), credit card data or other information they can monetize.
iDefense’s survey of underground criminal forums and marketplaces between October 2017 and March 2020 has shown malicious actors selling access to compromised databases and offering services for loading funds into transit system accounts and for booking travel within Canada and the United States at discounted rates. In addition, misconfigured databases of passengers’ travel details, such as data from 146 million Wi-Fi users at UK railway stations, could lie open for threat actors to exploit.
Threat actors have also taken advantage of the COVID-19 pandemic, sending coronavirus-themed phishing emails to shipping companies and hijacking email addresses of trucking companies to send fake employment forms to laid-off workers and harvest their banking information. In addition, financially or politically motivated threat actors could carry out industrial espionage to steal confidential manufacturing or operating information from transportation-related businesses. Threat actors using the NetSupport Manager remote access tool (RAT) have targeted transportation-related companies, among others. Remote access to company systems could potentially allow threat actors either to steal financial or proprietary information or disrupt processes. The xHunt tool used against Middle Eastern shipping entities allows monitoring of infected systems and data exfiltration. FakeSpy, a malicious Android application capable of SMS phishing and credential stealing, featured a spoofed website of a Japanese express delivery service company.
Over the past several years, iDefense has also observed a drastic increase in malicious actors selling access to compromised corporate networks. One such actor, nicknamed “FXMSP,” posted an ad in December 2017, offering access to the “entire” network of the British-Columbia-based TMS Transportation company’s network (see Exhibit 2). iDefense has observed other threat actors selling access to compromised systems of transportation and logistics companies. The explosion in sales of remote access has simplified the process of carrying out targeted attacks, and allows threat actors to steal and alter data at will and potentially, gain access to OT systems.
The integration of IT with OT in transit systems—whether in refueling systems, signals, switches, sensors, devices for data monitoring and remote control, or communications-based train controls—adds new threat considerations. Cybersecurity professionals are used to working with IT systems but are not always used to the special needs of OT, some of which follow:
In the October 2019 book "Cyber Resilience of Railway Signaling Systems," Russian ICS and supervisory control and data system (SCADA) cybersecurity specialist Sergey Gordeychik detailed railway-related OT vulnerabilities. Gordeychik explained that attacks on computer-based control systems (CBCS) generally affect efficiency more than safety, because most threat actors cannot bypass the functional safety mechanisms that slow or stop trains in dangerous situations. However, threat actors with low sophistication levels could carry out distributed denial of service (DDoS) attacks or other types of attacks that force a computer-based interlocking (CBI) system to reboot; such attackers could also display incorrect traffic positions on a yardmaster's workstation. Such disruptions could lead to automatic slowdowns or the need for manual control, resulting in train service delays.
In addition, Gordeychik provided examples of how threat actors can take advantage of vulnerabilities in railway automation and telemechanics devices. Some of these can be summarized as follows:
In addition to the vulnerabilities described by Gordeychik, some transit operators use Building Automation and Control networks (BACnets) to control services in and around railways stations. These have a number of vulnerabilities, including a buffer overflow vulnerability in a Delta Controls BACnet controller, tracked by CVE-2019-9569, that could allow remote control of the device. Even without an exploit, actors can remotely control BACnet systems connected to the Internet by using widely available tools.
iDefense looked in underground criminal marketplaces and forums for a sample of keywords related to communications-based train control and other OT technologies and did not find any, suggesting that the type of threat actors who communicate about such technologies are doing so in technical contexts, such as the book cited above, or in closed channels. However, as mentioned, cybercriminals and insiders do sell access to the systems of all kinds of organizations, which could include a transit company or any of its partners or vendors.
A study of Washington Metropolitan Area Transit Authority procurements warned that vendors and third-party contractors, such as contractors who maintain the automated control systems in railroad cars, could open such systems to cyberthreats.
iDefense has also observed threat actors on underground forums selling access to the networks of IT providers with clients in the transportation sector.
Attacks on telecommunications providers could halt operations; in October 2017, DDoS attacks on Internet service providers used by Swedish transportation organizations disrupted train management and ticket booking systems. Similarly, attacks on electricity suppliers could affect transit service, and attacks to manipulate information broadcast by a transit operator’s advertising partners or by a developer making an app with the operator’s scheduling data could prove disruptive.
State-backed threat actors have sometimes hidden behind the masks of hacktivists who carry out defacements, DDoS attacks or other disruptive attacks on supposedly idealistic grounds. For example, Russian military operatives used hacktivist personas to publicize misinformation leading up to the 2016 U.S. elections, and the Iranian government has used hacktivists-for-hire for deniable operations. State actors have also masked themselves as ordinary criminals, most famously in the Petya/NotPetya pseudo-ransomware attacks on Ukraine in 2017.
Some ransomware is incapable of collecting a ransom; this was the case with the LockerGoga ransomware attackers used in the NorskHydro attack of 2019; and, it often appears that malicious actors use ransomware attacks to clean up evidence of some other crime, such as data exfiltration. Cybercriminals sometimes act under the wing of state intelligence services, doing favors for them in return for the ability to carry out their crimes unpunished. A top member of the Russian group HIGHROLLERS (a.k.a. TA505 and EvilCorp), which controls the Dridex malware, Maksim Yakubets, has conducted cyber-enabled operations for Russia’s Federal Security Service (FSB), according to the U.S. Treasury Department; this relationship raises the possibility that some of the information actors stole using Dridex could end up in FSB hands.
These actors appear to be carrying out a mix of financially and politically motivated operations that could be called “hybrid” operations. It is sometimes difficult to detect and attribute patterns of activity that blur the boundaries in this way.
Espionage and state-sponsored cyberthreat groups from North Korea, Russia, and Iran are believed to have affected the transportation sector or its ICS or critical infrastructure, as Exhibit 3 illustrates.
Exhibit 4 shows major cybercriminal groups whose targets have included the transportation sector or its ICS or critical infrastructure.
To help mitigate against the growing threat of ransomware, iDefense suggests:
To help mitigate against other threats against the transit sector, iDefense suggests:
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture protects helps organizations' protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks
 Greenberg, Andy. “How an Entire Nation Became Russia's Test Lab for Cyberwar.” June 20, 2017. Wired. https://www.wired.com/story/russian-hackers-attack-ukraine/
 Satter, Raphael. “Ukrainian police seize software company’s servers.” July 5, 2017. AP. https://apnews.com/fbb32bb07f7047ba945360e8cbd522cf/Ukrainian-police-seize-software-company%27s-servers
 National Cyber Security Centre. “Reckless campaign of cyber attacks by Russian military intelligence service exposed,” October 3, 2018. https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed; “На Мининфраструктуры совершена кибератака, - источник. (A cyberattack has been carried out against the Infrestructure Ministry—Source).” October 24, 2017. 112[.]ua. hxxps://112[.]ua/ekonomika/na-mininfrastruktury-sovershena-kiberataka-istochnik-417332.html
 https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/; Crozier, Ry, “Toll Group suffers second ransomware attack this year,” May 5, 2020, IT News, https://www.itnews.com.au/news/toll-group-suffers-second-ransomware-attack-this-year-547757
 Montalbano, Elizabeth. Pitney Bowes Hit with Ransomware Attack. October 15, 2019. Threatpost. https://threatpost.com/pitney-bowes-hit-with-ransomware-attack/149156/; United States System Update. October 18-November 1, 2019. Pitney Bowes. https://www.pitneybowes.com/us/system-update.html
 Varghese, Sam. More data from freight firm Henning Harders published by ransomware gang. April 24, 2020. IT Wire https://www.itwire.com/security/more-data-from-freight-firm-henning-harders-published-by-ransomware-gang.html
 Cyberangriff aufIT-Netzwerk von Stadler, May 7, 2020, https://www.stadlerrail.com/media/pdf/2020_0507_medienmitteilung_cyberangriff_de.pdf
 United States District Court, District of New Jersey. United States of America v Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri. Indictment. November 26, 2018. https://www.justice.gov/opa/press-release/file/1114741/download
 https://nj1015.com/nj-largest-hospital-system-forced-to-pay-ransom-in-cyber-attack/; Robles, Frances. A City Paid a Hefty Ransom to Hackers. But Its Pains Are Far From Over. July 7, 2019. New York Times. https://www.nytimes.com/2019/07/07/us/florida-ransom-hack.html; Uria, Daniel. Ransom hackers hit Georgia courts after cities pay $1M. July 8, 2019. UPI. https://www.upi.com/Top_News/US/2019/07/08/Ransom-hackers-hit-Georgia-courts-after-cities-pay-1M/4111562116580/; Olenick, Doug. City of Cartersville paid $380k ransom to restore access to files. March 3, 2020. SC Media. https://www.scmagazine.com/home/security-news/ransomware/city-of-cartersville-paid-380k-ransom-to-restore-access-to-files/
 Gatlan, Sergiu. US Railroad Contractor Reports Data Breach After Ransomware Attack. February 28, 2020. Bleeping Computer. https://www.bleepingcomputer.com/news/security/us-railroad-contractor-reports-data-breach-after-ransomware-attack/
 Degrippo, Sherrod, “Coronavirus-themed Attacks Target Global Shipping Concerns,” February 10, 2020, https://www.proofpoint.com/us/corporate-blog/post/coronavirus-themed-attacks-target-global-shipping-concerns
 Abrams, Lawrence, “Targeted Phishing Attack Aims For Well-Known Corporate Brands,” February 16, 2020, https://www.bleepingcomputer.com/news/security/targeted-phishing-attack-aims-for-well-known-corporate-brands/
 Falcone, Robert and Brittany Barbehenn. xHunt Campaign: Attacks on Kuwait Shipping and Transportation Organizations. September 23, 2019. Palo Alto Networks. https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/
 Durando, Dario and Evgeny Ananin. FakeSpy Comes Back. New Wave Hits Japan. October 2, 2018. Fortinet. https://www.fortinet.com/blog/threat-research/fakespy-comes-back--new-wave-hits-japan.html
 iDefense Security Intelligence Services, “Account `network` Advertises Accesses to a Variety of Compromised Networks,” January 31, 2020, https://intelgraph.idefense.com/#/node/malicious_event/view/93763a1d-6fc8-4618-917b-16aff0c9381c
 Kimiagar, Yousef. IRSE conference overview: “CBTC and Beyond.” April 5, 2018. Railway Age. https://www.railwayage.com/passenger/rapid-transit/irse-conference-overview-cbtc-beyond/
 Gordeychik, Sergey. Cyber Resilience of Railway Signaling Systems. October 2019. https://www.researchgate.net/publication/336721816_Cyber_Resilience_of_Railway_Signaling_Systems
 BACNet International. Success Stories. Railway Plaza Building
Tsim Sha Tsui East, Hong Kong. 2016. https://www.bacnetinternational.net/success/stories.php?sid=105
 Cherrington, Geoffrey A. Review of Cybersecurity Requirements in WMATA’s Procurements (OIG 19-08). March 5, 2019, Washington Metropolitan Area Transit Authority. https://www.wmata.com/about/inspector-general/upload/19-08-Cybersecurity-Requirements-in-WMATA-s-Procurements.pdf
 iDefense Security Intelligence Services, “Threat Actor “SHERIFF” Advertises Access to Networks of Undisclosed IT Services Provider,” April 7, 2020.
 Barth, Bradley. DDoS attacks delay trains, halt transportation services in Sweden. October 16, 2017. SC Magazine. https://www.scmagazineuk.com/ddos-attacks-delay-trains-halt-transportation-services-sweden/article/1473963
 Mueller, Robert S. Report on the Investigation into Russian Interference in the 2016 Presidential Election. March 2019. US Department of Justice. https://www.justice.gov/storage/report.pdf
 Denning, Dorothy. How Iran’s military outsources its cyberthreat forces. January 22, 2020. The Conversation. https://theconversation.com/how-irans-military-outsources-its-cyberthreat-forces-129536
 Foreign Office Minister condemns Russia for NotPetya attacks. February 15, 2018. United Kingdom Foreign and Commonwealth Office. https://www.gov.uk/government/news/foreign-office-minister-condemns-russia-for-notpetya-attacks
 Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. December 5, 2019. US Department of the Treasury. https://home.treasury.gov/news/press-releases/sm845
 Mitigating malware and ransomware attacks. February 13, 2020. UK National Cyber Security Centre. https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
 Alert (AA19-339A) Dridex Malware. Last published January 2, 2020. US Cybersecurity and Infrastructure Security Agency. https://www.us-cert.gov/ncas/alerts/aa19-339a