Passengers shown ‘terror attack’ message in Wi-Fi hack on railway stations

Telegraph reporters
Railway station
Railway station

Railway stations across the country have been targeted in a cyber attack in which the public Wi-Fi page has been replaced with messages about terror attacks in Europe.

Manchester Piccadilly, Birmingham New Street, Edinburgh Waverley, Glasgow Central and 10 stations in London are among those affected by the incident.

The Manchester Evening News said the Wi-Fi landing page after the hack said: “We love you, Europe” and contained information about terror attacks, which the British Transport Police described as “Islamophobic messaging”.

Cybersecurity experts have said the incident appeared to be an act of “opportunistic hacktivism”, rather than a cyber attack designed to take down infrastructure or attempt to steal people’s personal data, given that such a public show was made of the breach.

In a statement on the incident, Telent, the third-party firm that provides Wi-Fi for Network Rail said the “unauthorised change” to the Wi-Fi landing page had been done from a “legitimate administrator account” and that the matter was now subject to criminal investigation.

The message appeared on the Wi-Fi log in page at various stations
The message appeared on the Wi-Fi log in page at various stations

British Transport Police said on Thursday evening that a man had been arrested for cyber vandalism.

A spokesman said: “The man is an employee of Global Reach Technology who provide some wifi services to Network Rail. He has been arrested on suspicion of offences under the Computer Misuse Act 1990 and offences under the Malicious Communications Act 1988.

“Officers received reports just after 5pm yesterday of a breach of some Network Rail wifi services at railway stations which were displaying Islamophobic messaging.

“The abuse of access was restricted to the defacement of the splash pages, and no personal data is known to have been affected.”

Network Rail, which manages the stations, suspended Wi-Fi services at stations across the country following what it described as a “cyber security incident” on Wednesday night.

The only Network Rail-managed station not affected was St Pancras.

A Network Rail spokesman said: “Last night the public Wi-Fi at 19 of Network Rail’s managed stations was subjected to a cyber security incident and was quickly taken off-line.

“The incident is subject to a full investigation. The Wi-Fi is provided by a third party, is self-contained and is a simple ‘click and connect’ service that doesn’t collect any personal data. Once our final security checks have been completed we anticipate the service will be restored by the weekend.”

Telent said it was working with Global Reach, the firm that provides the Wi-Fi landing page, on investigating the incident and that none of its other customers – which include Openreach, Transport for London (TfL), National Highways, the Maritime and Coastguard Agency and the NHS Ambulance Radio Programme – had been affected.

“Following the incident affecting the public Wi-Fi at Network Rail’s managed stations, Telent have been working with Network Rail and other stakeholders,” Telent said in a statement published on its website.

“Through investigations with Global Reach, the provider of the Wi-Fi landing page, it has been identified that an unauthorised change was made to the Network Rail landing page from a legitimate Global Reach administrator account and the matter is now subject to criminal investigations by the British Transport Police.

“No personal data has been affected. As a precaution, Telent temporarily suspended all use of Global Reach services while verifying that no other Telent customers were impacted.”

According to its website, Telent helps design, build, support and manage some of the UK’s “critical digital infrastructure”.

Jake Moore, a global cybersecurity adviser at Eset, said the public nature of the incident suggested that it was an attempt to gain attention rather than a “genuine threat” to security.

“Cyber attacks often occur in stealth mode and attempt to carry out activities without anyone noticing anything until the real damage is complete,” he said.

“However, by defacing the Wi-Fi login screen with a terror message suggests that the motive may simply be to test its general security rather than to pose a genuine threat and in this case, via the weakest link in the supply chain and most likely via a phishing campaign.

“Financially motivated cyber criminals are out to find data they can either steal or sabotage with a ransom demand put in place.

“However, it seems nothing more has been demanded here other than more security in place following a separate attack on TfL earlier this month.”

Dan Card, a cybersecurity expert and a fellow of BCS, The Chartered Institute for IT, said: “This looks like an example of opportunistic hacktivism. Speculation that the hack is terrorism-related is inappropriate and plays into the threat actors’ hands.

“The rail organisations for the stations affected use a single provider – it doesn’t appear that all the necessary security controls would have been in place to prevent this according to info I’ve seen.”

Advertisement