‘Cyber vandalism’ shuts down wifi at 19 Network Rail stations

An act of apparent cyber vandalism has hit public wifi at some of the biggest railway stations in the country, replacing the wifi landing page with political messaging and knocking their networks offline.

Manchester Piccadilly, Birmingham New Street, Edinburgh Waverley, Glasgow Central and 10 stations in London are among those affected by the incident on Wednesday which saw passengers trying to log on instead been shown messages about terror attacks in Europe, according to reports.

The Manchester Evening News said the wifi landing page after the hack said: “We love you, Europe” and contained information about terror attacks, which the British Transport Police described as “Islamophobic messaging”.

Cybersecurity experts have said the incident appeared to be an act of “opportunistic hacktivism”, rather than a cyber attack designed to take down infrastructure or attempt to steal people’s personal data, given that such a public show was made of the breach by the bad actor.

And in a statement on the incident, Telent, the third party firm which provides wifi for Network Rail said the “unauthorised change” to the wifi landing page had been done from a “legitimate administrator account” and that the matter was now subject to criminal investigation.

Network Rail, which manages the stations, has suspended wifi services at stations across the country following what it described as a “cyber security incident”.

The only Network Rail-managed station not affected was St Pancras.

A Network Rail spokesperson said: “Last night the public wifi at 19 of Network Rail’s managed stations was subjected to a cyber security incident and was quickly taken off-line.

“The incident is subject to a full investigation.

“The wifi is provided by a third party, is self-contained and is a simple ‘click and connect’ service that doesn’t collect any personal data. Once our final security checks have been completed we anticipate the service will be restored by the weekend.”

British Transport Police said: “We received reports at around 5.03pm yesterday (September 25) of a cyber attack displaying Islamophobic messaging on some Network Rail wifi services.

“We are working alongside Network Rail to investigate the incident at pace.”

Telent said it was working with Global Reach, the firm which provides the wifi landing page, on investigating the incident and that none of its other customers – which includes Openreach, Transport for London (TfL), National Highways, the Maritime and Coastguard Agency and the NHS Ambulance Radio Programme – had been affected.

“Following the incident affecting the public wifi at Network Rail’s managed stations, Telent have been working with Network Rail and other stakeholders,” Telent said in a statement published on its website.

“Through investigations with Global Reach, the provider of the wifi landing page, it has been identified that an unauthorised change was made to the Network Rail landing page from a legitimate Global Reach administrator account and the matter is now subject to criminal investigations by the British Transport Police.

“No personal data has been affected. As a precaution, Telent temporarily suspended all use of Global Reach services while verifying that no other Telent customers were impacted.”

According to its website, Telent helps design, build, support and manage some of the UK’s “critical digital infrastructure”.

Jake Moore, global cybersecurity adviser at Eset, said the public nature of this incident suggested it was an attempt to gain attention rather than a “genuine threat” to security.

“Cyber attacks often occur in stealth mode and attempt to carry out activities without anyone noticing anything until the real damage is complete,” he said.

“However, by defacing the wifi logon screen with a terror message suggests that the motive may simply be to test its general security rather than to pose a genuine threat – and in this case, via the weakest link in the supply chain and most likely via a phishing campaign.

“Financially motivated cyber criminals are out to find data they can either steal or sabotage with a ransom demand put in place.

“However, it seems nothing more has been demanded here other than more security in place following a separate attack on TfL earlier this month.”

Fellow cybersecurity expert Dan Card, fellow of BCS, The Chartered Institute for IT, said: “This looks like an example of opportunistic hacktivism.

“Speculation that the hack is terrorism-related is inappropriate and plays into the threat actors’ hands.

“The rail organisations for the stations affected use a single provider – it doesn’t appear that all the necessary security controls would have been in place to prevent this according to info I’ve seen.

“It’s a reminder that a range of organisations simply aren’t doing what is required or don’t have the resources to do that.”

– The stations affected are:
Birmingham New Street;
Bristol Temple Meads;
Edinburgh Waverley;
Glasgow Central;
Guildford;
Leeds;
Liverpool Lime Street;
London Bridge;
London Cannon Street;
London Charing Cross;
London Clapham Junction;
London Euston;
London King’s Cross;
London Liverpool Street;
London Paddington;
London Victoria;
London Waterloo;
Manchester Piccadilly;
Reading