Pro-Ukrainian cybercriminals are behind the DDoS attack on Russian Railways

Website and mobile application Russian Railways July 5 worked with failures. Resources were opened, but it was impossible to buy tickets through them, the Vedomosti correspondent was convinced. “We are trying to restore their work as soon as possible. Ticket offices at stations and train stations are functioning normally, tickets are sold as usual,” she said. Russian Railways in the Telegram channel. Vedomosti sent a request to the company.

Russian Railways reported about the restoration of the site and mobile application only on the evening of July 5. But the company said in a statement about the continuation of a massive attack. “In this regard, as well as with the increased load on the information resources of the company, there may still be some difficulties,” the message says. Russian Railways.

According to the symptoms, what happens to Russian Railways, looks like a DDoS attack, says a Vedomosti source in a developer of information security (IB) solutions. He also recalled that this is not the first successful attack on the company’s resources after the start of a special operation in Ukraine. As early as February 26, 2022, a representative Russian Railways reported that due to a serious DDoS attack on the company’s website, it is malfunctioning. Then the company had to increase the number of operating ticket offices at the stations so that all passengers could buy tickets.

With what resources Russian Railways were subjected to a DDoS attack, Igor Bederov, an expert at the SafeNet engineering center of the National Technology Initiative, agrees. DDoS attacks have different vectors and are divided into levels from 1 to 7 (L1-L7), ranging from simple attacks through fault tolerance to attacks that directly affect server hardware or software that controls an external site, system or server, he explained. According to a Vedomosti source in a company in the cybersecurity market, the attack takes place precisely at the L7 level, that is, attackers attack not a hosting provider, but a specific site and a specific application.

The source of Vedomosti in the company developing information security solutions says that the protection of resources Russian Railways the company “RTK-Solar” is engaged. This information was confirmed by an interlocutor in another company in the cybersecurity market. RTK-Solar did not provide a comment at the time of publication of the material.

To investigate and resolve the incident Russian Railways attracted Positive Technologies. “We provide Russian Railways with the consulting and technological support they need in accordance with the company’s requests to us,” said a representative of the developer of information security solutions.

In 2022, the share of ticket sales Russian Railways in electronic form in long-distance travel was 74%, the company’s CEO Oleg Belozerov reported to Russian President Vladimir Putin during a meeting in Novo-Ogaryovo on February 6, 2023. Total last year Russian Railways carried 1.136 billion passengers, including 108,300 long-distance passengers. Thus, according to Vedomosti estimates, more than 80,000 tickets for long-distance trains were sold via the Internet over the past year.

The head of the monopoly did not provide statistics on suburban trains.

After the start of the special operation, long-distance trains became a key way to travel to the south of Russia, including to popular resorts. 11 southern airports are closed for security reasons, and you can fly to the Black Sea coast only through the Sochi (Adler) airport. Crimea’s only civilian airport in Simferopol is also closed.

But it was from the beginning of July that Russian tourists massively headed to the Crimea, which led to many hours of traffic jams on the highway in front of the Crimean bridge. This situation even became the subject of proceedings at the level of the President of the country: Minister of Transport Vitaly Savelyev July 4 reported Putin about how things are at the entrances to the bridge, at a meeting with members of the government. 5’th of July reportedthat the cork has dissipated. But there were no problems with the railway communication with the Crimea during the traffic jams.

“The attack was once again successful because, as is usually the case with large corporations, Russian Railways were preparing for the “last war,” explains a source in a company that develops information security solutions. “Methods that helped reduce symptoms in February 2022, such as blocking traffic from abroad via GeoIP, are now completely ineffective.”

DDoS attacks on the websites of Russian companies have become more frequent after the start of the military operation in Ukraine. According to StormWall, in 2022 the number of such attacks on all sectors increased by 74%. The main impact of DDoS attacks fell on the financial industry, almost a third of all attacks (34%) were aimed at this area, said in company research.

Due to the increase in the number and intensity of attacks at the beginning of last year, many resources began to restrict access to all IP addresses except Russian, in an attempt to block malicious traffic from other countries. But by the fall of 2022, this measure had ceased to be a reliable defense: attackers began to organize botnets inside Russia, Vedomosti wrote at the end of February.

Often, state information systems (GIS) have a number of vulnerabilities, added Alexander Sanin, commercial director of Avanpost. For example, developers of companies winning tenders can allow them, he continued. “The lowest cost of services, giving the right to win, often have a downside – the creation of a GIS is carried out at a low level, without taking into account the requirements of safe development,” the expert believes.

According to two Vedomosti sources in companies in the cybersecurity market, the attack was organized by a certain “Ukrainian IT army.” Post about the attack on Russian Railways appeared in the Telegram channel of this team. Its creation in February 2022 was announced by the Minister of Digital Transformation of Ukraine Mykhailo Fedorov on his Twitter account. The authors of the channel regularly publish lists of “victims” and post detailed instructions on how to carry out a DDoS attack, so that even users without special technical knowledge can do it.

According to Bederov, the attack is unlikely to last longer than three days. Long-term maintenance of the inoperability of an external resource costs money, in addition, the victim adapts, starting to block IP addresses, investigate the nature of the attack, analyze the actions of bots, etc., he explained. Resources will earn, but DDoS attacks are often accompanied by hacks, so attempts to steal personal data and other confidential information are not ruled out, the expert warned. Data leaks, hacking and similar actions are possible if there are other attacks in parallel, and DDoS is used as a cover, a source in one of the companies in the cybersecurity market explained.

In addition, you should beware of the subsequent actions of intruders, ranging from the rapid creation of fake sites Russian Railways and applications to fraudulent calls with the aim of extorting credentials allegedly to “solve recent technical problems,” said Alexei Parfentiev, head of the analytics department at Serchinform.