Cyber attack on Railways: what happened and who is responsible.
Ticket offices are still out of service due to the hacker attack against State Railways which stopped ticket sales at the station yesterday morning. At the stations it is impossible to buy tickets neither at the ticket office nor at the self-service at the moment. "Suspicious activity on the company's network indicates an attack similar to those using CryptoLocker ransomware," Railways said in a statement yesterday. “At the moment it is not possible to say when they will be restored, the rail traffic has continued throughout the day on a regular basis. The news is circulating of an alleged ransom request of which we are not aware ”, said Marco Mancini, head of the press office of the FS Italiane Group, on Tg1 last night. "It is conceivable that the cyber attack on the railways that blocked some systems of the company is attributable to Russia". Ansa wrote it yesterday, reporting qualified sources of Italian security. According to the Ansa institutional sources, "the type of attack and the modus operandi with which it was carried out would in fact be attributable to Russian hackers". At the beginning of the month, the CSIRT (Computer Security Incident Response Team), a structure established at the National Cybersecurity Agency (Acn), had issued an alert for possible cyber attacks in Italy related to the conflict in Ukraine. Hypothesis excluded by Fs. "At present, there are no elements that allow us to trace the origin and nationality of the cyber attack," said Ferrovie yesterday. It is also denied by the National Cybersecurity Agency itself. "Only criminals behind the hacker attack on the railways," Roberto Baldoni, director of the ACN, told Corriere della Sera. "No to the psychosis of the attack linked to the war in Ukraine. Here there is a criminal matrix, as elsewhere ", emphasized Baldoni. All the details. WHAT HAPPENED On 23 March, the FS Group announced that on the corporate computer network "elements that could lead to phenomena related to a cryptolocker infection have been detected: verification activities on the network are in progress". CryptoLocker refers to a type of ransomware that encrypts computer data (effectively blocking it) and asking for a ransom to be paid to restore it. "The cyber attack was allegedly carried out with a ransomware virus introduced through one of the accounts of the system administrators or of those who manage the IT services of FS" reports Il Sole 24 Ore. TURN OFF THE SALES TERMINALS As a precaution, specified Fs, some users of Trenitalia's physical sales systems have been deactivated. Therefore, it is temporarily not possible to buy travel tickets in the ticket offices and self-service stations in the stations, while online sales are operational. "Even the booking of the services of the Blue Rooms of the Italian railway network may not take place with the usual regularity", added the company, underlining that passengers are allowed to board the train and present themselves to the conductor to purchase the ticket without extra charge. The malfunctions recorded, concludes yesterday's note, do not impact on railway traffic, which proceeds regularly. "Until late in the evening, however, the door through which the virus would have entered had not yet been identified and for this reason a series of services (the ticket offices, in fact) were blocked: if they had remained active there would be a risk that the virus would spread to other information systems, blocking further services, putting the circulation of trains at risk. A series of checks and investigations are also underway by the Postal Police ”, reports Il Sole 24 Ore. GUILTY CYBER-RUSSIAN CRIMINALS? Returning to the cyber attack suffered by FS, "the type of attack and the modus operandi with which it was carried out, underline qualified sources of Italian security, would in fact be attributable to Russian hackers" reported yesterday the Ansa. BEHIND THE HACKER ATTACK THERE IS THE HIVE GROUP According to Open, "behind the hacker attack that hit Trenitalia and the Italian Railway Network yesterday is the Russian-speaking Hive group, with both Russian and Bulgarian members and affiliates, motivated by money rather than political ideologies. In response to the ransomware-type cyber offensive, consisting of malware that restricts access to the device it infects until a ransom is paid, the group has in fact asked for $ 5 million in Bitcoin. " "What we know for sure at the moment is that the malware used is of the ransomware type and that the attack was triggered by the HIVE gang," Pierguido Iezzi, CEO of Swascan, told Cybersecurity360.it. “The ransomware used should be Hive's” reports more approx uta Republic. “So much so that in the afternoon the hacker group published some chats (probably fake) in which they asked Trenitalia for a ransom of five million. A ransom, they say from Ferrovie, which, however, has never been solicited, nor paid for ". THE POSITION OF FS For its part, on the other hand, Ferrovie does not confirm that it has received requests for money, as stated by spokesman Mancini yesterday on Tg1. In the official note, the FS group made it known that "it is working in close collaboration with the National Cybersecurity Agency and with the State Police. In particular, the National Anti-Crime Center for the Protection of Critical Infrastructures (Cnaipic) of the Postal Police is committed to conducting all the appropriate checks and verifications on what happened today ". WHAT PROF BALDONI, DIRECTOR OF ACN, SAYS "It is a hacker attack similar to others that have hit companies and infrastructures also in Italy in recent times," commented Roberto Baldoni, director of the National Cybersecurity Agency, in an interview with Corriere della Sera. According to Baldoni, in the case of FS we are faced with "a hacker attack similar to others that have hit companies and infrastructures in Italy in recent times too". And when asked if the ransom must be paid, the director of the ACN has no doubts: "From my point of view, you should never negotiate. Instead, awareness and prevention and mitigation practices must be increased ". IBM SYSTEMS For its sales services, Ferrovie dello Stato makes use of IBM, the US technology giant. Trenitalia's sales system is in fact PICO, the Integrated Commercial Platform developed in 2012 in collaboration with Ibm Services. "Ibm developed Pico for Trenitalia using IBM software such as WebSphere, ILOG, DB2, MQ, etc. .. The solution is hosted in the IBM Data Center in Pero (Milan)", reads a note. Furthermore, in 2019 Ferrovie dello Stato Italiane and Ibm strengthened "their collaboration with a new project that improves the customer experience of travelers through artificial intelligence solutions". “Thanks to the new cloud-based cognitive platform, FS Italiane will be able to provide people with assistance services, twenty-four hours a day, with content and advice based on their habits and preferences” explained the companies. THE ITALIAN ALMAVIVA Repubblica wrote today: “Trenitalia is a customer of one of the main Italian software houses”. In the IT sector of FS, for years, Almaviva has been in charge: the technology group chaired by Alberto Tripi for decades has been buying up tenders ”, recalled the daily Domani in 2020. As emerges from the site of the Italian Almaviva, the FS, RFI and Trenitalia Group are among the customers "of solutions and services for integrated local public transport and intermodal logistics".details