Public Wi-Fi services at 19 of the UK’s most important railway stations, including most London termini, are in the process of being recovered following an apparent cyber attack that saw landing pages display Islamophobic messages to members of the public attempting to log on.

The attack – possibly the work of far-right hacktivists, although this is unconfirmed – began during the evening peak on Wednesday 25 September and resulted in the services being pulled offline for investigation and remediation. At the time of writing, the service remains disrupted, and may not be fully restored for up to 48 hours.

In a brief statement, a Network Rail spokesperson said: “Last night, the public Wi-Fi at 19 of Network Rail’s managed stations was subjected to a cyber security incident and was quickly taken offline. The incident is currently subject to a full investigation.

“The Wi-Fi is provided by a third party, is self-contained and is a simple ‘click and connect’ service that doesn’t collect any personal data. Once our final security checks have been completed, we anticipate the service will be restored by the weekend.”

A spokesperson for Telent, which operates the affected networks, said: “Following the incident affecting the public Wi-Fi at Network Rail’s managed stations, Telent have been working with Network Rail and other stakeholders.

“Through investigations with Global Reach, the provider of the Wi-Fi landing page, it has been identified that an unauthorised change was made to the Network Rail landing page and the matter is now subject to criminal investigations by the British Transport Police.

“No personal data has been affected. As a precaution, Telent temporarily suspended all use of Global Reach services while verifying that no other Telent customers were impacted,” they said.

The affected stations were Birmingham New Street, Bristol Temple Meads, Clapham Junction, Edinburgh Waverley, Glasgow Central, Guildford, Leeds, Liverpool Lime Street, London Bridge, London Cannon Street, London Charing Cross, London Euston, London King’s Cross, London Liverpool Street, London Paddington, London Victoria, London Waterloo, Manchester Piccadilly, and Reading.

Lone attacker or nation-state threat?

Although many observers have highlighted the risks posed to critical infrastructure such as the UK’s rail network posed by attacks exploiting adjacent systems, the highly specific nature of the attack on Network Rail appears to suggest that it is not the work of financially motivated cyber criminals, although the jury is out on whether or not a nation-state actor may be involved. Nation-state actors have been known to hide behind the cover of disruptive online hacktivists, a trend that has spiked since Russia’s 2022 invasion of Ukraine.

Jake Moore, global cyber security adviser at ESET, said: “Cyber attacks often occur in stealth mode and attempt to carry out activities without anyone noticing anything until the real damage is complete. However, by defacing the Wi-Fi login screen with a terror message suggests that the motive may simply be to test its general security rather than to pose a genuine threat – and in this case, via the weakest link in the supply chain and most likely via a phishing campaign.

“Financially motivated cyber criminals are out to find data they can either steal or sabotage with a ransom demand put in place. However, it seems nothing more has been demanded here other than more security in place following a separate attack on TfL earlier this month.”



Source link