Hackers Breached Railway Network, Disrupted Service

Hackers attacked computers at an an unidentified railway company, disrupting railway signals for two days in December, according to a government memo obtained by Nextgov.

According to the memo, train service on the unnamed railroad located in the Pacific Northwest “was slowed for a short while” on Dec. 1, and rail schedules were delayed about 15 minutes after the interference. The next day, shortly before rush hour, a “second event occurred,” but this one did not affect schedules, NextGov reports.

An investigation determined that hackers — possibly from overseas — had penetrated the system from three IP addresses, according to the memo, which did not name the country from which the hack occurred.

“Some of the possible causes lead to consideration of an overseas cyberattack,” the memo said.

Information stating that a targeted attack occurred was sent out on Dec. 5, along with alerts listing the three IP addresses, to several hundred railroad firms and public transportation agencies, in addition to unnamed partners in Canada.

A DHS spokesman acknowledged the breach in a statement to Threat Level.

“On December 1, a Pacific Northwest transportation entity reported that a potential cyber incident could affect train service,” said spokesman Peter Boogard in a statement. “The Department of Homeland Security (DHS), the FBI and our federal partners remained in communication with representatives from the transportation entity in support of their mitigation activities and with state and local government officials to send alerts to notify the transportation community of the anomalous activity as it was occurring.”

A DHS official added that after more in-depth analysis of the incident, it did not appear to be a targeted attack aimed at the railway and halting service, but was more of a random incident that simply hit the transportation entity. He would not elaborate.

Some of the details are reminiscent of a recent incident involving a water pump in Illinois in which a government fusion center had released a memo claiming Russian hackers had remotely destroyed a water pump at an Illinois utility. The report spawned dozens of sensational stories characterizing it as the first-ever reported destruction of U.S. infrastructure by a hacker. Some described it as America’s very own Stuxnet attack.

But a week later, DHS contradicted the memo, saying its investigators had found no evidence that a hack occurred at all and that the water pump had simply burned out. And the “Russian hacker” whom the center had identified as penetrating the system turned out to be an American contractor who had accessed the utility’s computer system — at the utility’s request — while he was on vacation in Russia with his wife and daughters.

In the case of the railway incident, the information about the breach was contained in a memo that discussed the kind of outreach DHS did to notify interested parties about the incident.

“Amtrak and the freight rails needed to have context regarding their information technical centers,” the memo stated. “Cyberattacks were not a major concern to most rail operators” at the time the incident occurred and, “the conclusion that rail was affect [sic] by a cyberattack is very serious.”

Photo: David Ciani / Flickr