Cyberattack Investigated At UK’s Busiest Train Stations

Updated A cybersecurity incident is being probed at Network Rail, the UK non-departmental public body responsible for repairing and developing train infrastructure, after unsavory messaging was displayed to those connecting to major stations’ free Wi-Fi portals.

The message displayed to users via a compromised Wi-Fi landing page, seen by The Register, is Islamophobic in nature and references the 2017 Manchester Arena bombings.

All 20 stations managed by Network Rail across the UK are thought to be affected, with Wi-Fi services still unavailable this morning while investigations into the root cause continue.

The stations affected include 10 in London – all the major rail hubs in the city – and other key commuter stations such as Manchester Piccadilly, Birmingham New Street, Leeds, Reading, Glasgow Central, Bristol Temple Meads, and more.

Network Rail and the British Transport Police (BTP) are on the case, with the latter telling us: “We received reports at around 1703 yesterday [25 September] of a cyberattack displaying Islamophobic messaging on some Network Rail Wi-Fi services. We are working alongside Network Rail to investigate the incident at pace.”

Network Rail’s Wi-Fi is operated by Warwickshire-based communications company Telent, which said it’s working alongside the two transport bodies to resolve the issues.

“We are aware of the cyber security incident affecting the public Wi-Fi at Network Rail’s managed stations and are investigating with Network Rail and other stakeholders,” said a Telent spokesperson. 

“We have been informed there is an ongoing investigation by the British Transport Police into this incident, so it would not be appropriate to comment further at this stage.” 

Telent also manages telecoms solutions across other rail networks such as HS1, Crossrail, Transport for Greater Manchester, Transport Scotland, and Mersey Travel, but a spokesperson said no other customers are thought to be affected.

Infosec experts weighed in on the news, saying the event is the latest to highlight how critical national infrastructure (CNI) in the UK is a common target for cybercriminals looking to send a message.

Muhammad Yahya Patel, lead security engineer at Check Point Software, said: “Public Wi-Fi, often unencrypted and easily accessible, provides an ideal entry point for attackers. Unlike the security of home Wi-Fi, which is password-protected and encrypted, public Wi-Fi leaves users’ data exposed to anyone on the network. In this attack, passengers logging in were shown disturbing messages about terror attacks in Europe, underlining the ease with which attackers can manipulate public networks.

“The attack also raises critical questions about how well these networks are maintained,” he added. “Outdated hardware and software create exploitable vulnerabilities, which is a growing concern for systems as vital as public transport. With Network Rail suspending Wi-Fi services and British Transport Police investigating the breach, this event highlights the pressing need to fortify public networks – especially as cybercriminals increasingly set their sights on critical national infrastructure.”

The root cause of the attack is still yet to be confirmed officially, but that hasn’t stopped industry commentators from sharing the intel they’ve gleaned.

Kevin Beaumont, for example, claimed the issues is far from being contained and Telent has various endpoints exposed to the web.

“[Telent] have everything from Outlook Web App facing the internet to a Cisco AnyConnect box without MFA to Juniper management interfaces to documentation servers etc,” he alleged. “Pour one out for the IR team.” ®

Updated to add at 1106 UTC:

Telent has updated its statement to note that Global Reach manages the landing pages, which were seemingly defaced after being compromised via an admin account.

It added that no personal data was affected, stating: “Through investigations with Global Reach, the provider of the Wi-Fi landing page, it has been identified that an unauthorised change was made to the Network Rail landing page from a legitimate Global Reach administrator account and the matter is now subject to criminal investigations by the British Transport Police.”

READ MORE HERE