Hunt for rogue IT firm employee behind Islamophobic cyber hack: Worker goes AWOL as police probe message that shut down rail station wi-fi
The hunt is underway for an IT firm employee after the an Islamophobic message appeared on public wi-fi landing pages at 19 of Britains railway stations.
The hunt is underway for an IT firm employee after the an Islamophobic message appeared on public wi-fi landing pages at 19 of Britains railway stations.
Manchester Piccadilly, Birmingham New Street, Glasgow Central, Liverpool Lime Street and ten stations in London were among the hubs affected by the incident which resulted in passengers seeing a message about terror attacks in Europe.
The wi-fi at these railway stations are managed by a third party provider named Tenent, who have confirmed the act of cyber vandalism was made by a legitimate administrator account from Global Reach.
They also added that the incident was not a by-product of a network security breach or a technical failure within Global Reach - and IT firm responsible for running the publicly accessible internet service at the aforementioned locations.
The British Transport Police has begun a criminal investigation into the incident, while Telent has insisted no personal data has been affected.
A source inside the investigation into the cyber vandalism has since revealed there was no sign of forced entry on the now AWOL employees account.
The hunt is underway for an IT firm employee after the an Islamophobic message appeared on public wi-fi landing pages at 19 of Britains railway stations (Pictured: London Euston station)
Passengers look at their phones next to a wifi poster at London Bridge station this morning
They said: Global Reach has checked the employee’s account and everything checks out as a normal access – zero sign of ‘forced entry’ - and he’s gone AWOL, which is clearly suspicious.
‘While he’s not from the UK, he has been here for a number of years.’
A recent statement from Telent read: Telent can confirm that the incident was an act of cyber vandalism which originated from within the Global Reach network and was not a result of a network security breach or a technical failure.
The aim is to restore public Wi-Fi services by the weekend. Telent are continuing to work with Network Rail, Global Reach and the British Transport Police.
Network Rail had also confirmed that station wi-fi would not be restored until the coming weekend while further checks are carried out.
Security experts told MailOnline today that the attack which happened yesterday was a stark reminder that public wi-fi can be a playground for cybercriminals, adding that unsecured public networks in busy areas are easy pickings for hackers.
Thousands of other public spaces around the UK such as restaurants, coffee shops, libraries, university campuses, Government buildings, hospitals, schools and airports have free wi-fi hotspots and could therefore all be under threat from a similar attack.
The wifi webpage after the hack said We love you, Europe and contained information about terror attacks, which has been obscured by MailOnline in the above image
Adrianus Warmenhoven, cybersecurity expert at NordVPN, said the National Rail hack highlights the need for heightened vigilance when using these services — which can be more vulnerable to cyber attacks.
He added that the incident should act as a wake-up call for everyone to be more mindful of the risks associated with unsecured public networks.
Experts advise people using public wi-fi to avoid using sensitive accounts such as online banking or shopping websites that require personal information.
Customers should also ensure they are connecting to the correct network, given that hackers have created fake hotspots with names similar to legitimate networks.
Mr Warmenhoven added: To fortify your online security further, make sure your devices software - or antivirus programs - are up to date.
Its also wise to disable automatic connections to any available networks, to prevent your device from connecting to any malicious services which could put your security or personal information at risk.
According to its website, Telent helps design, build, support and manage some of the UKs critical digital infrastructure, and its other customers include Openreach, Transport for London (TfL), National Highways, the Maritime and Coastguard Agency and the NHS Ambulance Radio Programme.
It has not yet been confirmed if any of Telents other customers have been impacted by the incident.
The wi-fi landing page following the National Rail hack said We love you, Europe and contained information about terror attacks, according to users posting on social media.
The attack has been compared to the BBC s new drama Nightsleeper which features a sleeper train travelling from Glasgow to London which is hacked and hijacked.
British Transport Police at London Kings Cross station today after the cyber attack on wi-fi
The wi-fi was still down this morning at the 19 stations, which include Bristol Temple Meads, Edinburgh Waverley, Leeds, Guildford and Reading.
The ten London stations affected were Cannon Street, Charing Cross, Clapham Junction, Euston, Kings Cross, Liverpool Street, London Bridge, Paddington, Victoria and Waterloo.
Among the cyber security experts commenting on the attack today was Alex Richards, director of Liberate IT Services, who told MailOnline: This will have been a malicious actor directly targeting the public wi-fi for propaganda purposes or to promote an agenda.
Public wi-fi is always isolated and firewalled from any other network so there will be no risk to data held or processed by Network Rail themselves. Public wi-fi is the easiest target due to its accessibility, and the most visible when tampered with.
The only potential danger is that anyone else using the public wi-fi at the time could have had their data snooped. This is where information being sent from/to your device on the public wi-fi is inspected and listened to.
This is why it is important to only use encrypted services on public wi-fi, or a VPN service using encryption. Better yet, stay clear of public wi-fi and use your 4G or 5G data service.
James Bore, director at security and technology consultancy Bores Group, also told MailOnline: This sort of attack largely isnt a threat to users of the wi-fi as it appears to be an activist attack designed to spread a message.
From the details available its likely the provider of the wi-fi system was the one compromised, and a lot more of their clients than Network Rail will have been affected - however with the busy stations they were noticed first.
This sort of attack involves changing the home page - called the captive portal - to another page, and it can be used to steal credentials but in this case was used to spread a message.
Honestly, the protection against this sort of attack is not to use public wi-fi - when you do use it you are placing trust in the provider not to do this sort of thing, and while its rare that these attacks happen there is nothing individuals can do to prevent them.
Passengers at London Euston this morning, one of the stations affected by the cyber attack
And Jake Moore, global cybersecurity adviser at Eset, said the incident appeared to be an attempt to draw attention to a lack of security, rather than a genuine threat.
Cyber attacks often occur in stealth mode and attempt to carry out activities without anyone noticing anything until the real damage is complete, he said.
However, by defacing the wifi logon screen with a terror message suggests that the motive may simply be to test its general security rather than to pose a genuine threat - and in this case, via the weakest link in the supply chain and most likely via a phishing campaign.
Financially motivated cyber criminals are out to find data they can either steal or sabotage with a ransom demand put in place.
However, it seems nothing more has been demanded here other than more security in place following a separate attack on TfL earlier this month.
Fellow cybersecurity expert Dan Card, fellow of BCS, The Chartered Institute for IT, said: This looks like an example of opportunistic hacktivism.
Speculation that the hack is terrorism-related is inappropriate and plays into the threat actors hands.
The rail organisations for the stations affected use a single provider - it doesnt appear that all the necessary security controls would have been in place to prevent this according to info Ive seen.
London Waterloo station, pictured today, was also impacted by the cyber attack on wi-fi
Its a reminder that a range of organisations simply arent doing what is required or dont have the resources to do that.
A Network Rail spokeswoman told MailOnline: We are currently dealing with a cyber security incident affecting the public wi-fi at Network Rails managed stations.
This service is provided via a third party and has been suspended while an investigation is underway.
In a later statement, a Network Rail spokesperson said: Last night the public wi-fi at 19 of Network Rails managed stations was subjected to a cyber security incident and was quickly taken offline.
The wifi is provided by a third party, is self-contained and is a simple click & connect service that doesnt collect any personal data.
The incident is subject to a continuing investigation, but police are seeking help from an employee of one of the service providers. Once our final security checks have been completed we anticipate the service will be restored by the weekend.
Network Rail manages 20 stations across the network, with London St Pancras the only one that has not been affected by the attack.
The cyber attack has been compared to the BBCs new drama Nightsleeper, starring Joe Cole
A British Transport Police spokesman said: We received reports at around 5.03pm yesterday of a cyber-attack displaying Islamophobic messaging on some Network Rail Wi-Fi services.
We are working alongside Network Rail to investigate the incident at pace.
A spokeswoman for Telent also previously said today: We are aware of the cyber security incident affecting the public Wi-Fi at Network Rails managed stations and are investigating with Network Rail and other stakeholders.
We have been informed there is an ongoing investigation by the British Transport Police into this incident, so it would not be appropriate to comment further at this stage.
In a later statement, Telent added: Following the incident affecting the public Wi-Fi at Network Rails managed stations, Telent have been working with Network Rail and other stakeholders.
Through investigations with Global Reach, the provider of the wi-fi landing page, it has been identified that an unauthorised change was made to the Network Rail landing page from a legitimate Global Reach administrator account and the matter is now subject to criminal investigations by the British Transport Police.
Nightsleeper features a train travelling from Glasgow to London which is hacked and hijacked
No personal data has been affected. As a precaution, Telent temporarily suspended all use of Global Reach services while verifying that no other Telent customers were impacted.
While the cyber attack itself did not appear to be affecting train services today, there was major disruption on Avanti West Coast and TransPennine Express services.
All lines between Lockerbie and Carstairs were blocked after an object got caught in the overhead cables, affecting services between Carlisle, Glasgow and Edinburgh.
Elsewhere, flooding continued to disrupt services between Wanborough and Ash in Surrey - while a tree was blocking the line between Hebden Bridge and Todmorden in West Yorkshire.
It comes after a separate cyber security incident was launched on Transport for London (TfL) on September 1, which saw some customer data accessed.
Network Rail confirmed Manchester Piccadilly is among the affected train stations (file photo)
A 17-year-old boy has been arrested in Walsall on suspicion of Computer Misuse Act offences in relation to the TfL attack.
TfL has been investigating the incident alongside the NCA and said some customer names and contact details had been compromised.
Some Oyster card refund data may also have been accessed in the cyber attack which could include bank account details.
TfL said this could include bank account numbers and sort codes for about 5,000 customers, and it has directly contacted these people with guidance.
Meanwhile the Football League has issued an alert to clubs following a series of cyber attacks which have seen breaches at both Bristol City and Sheffield Wednesday in recent weeks.
Hackers are thought to be targeting many of the leagues bigger clubs, hunting for the personal data of season ticket holders and those on email lists.
Should they be successful, that information, which can include passwords, is often sold on to a variety of buyers which are thought to include organised crime networks who can then attempt to use the data to carry out a variety of scams.
A further cyber attack back in June led to more than 10,000 NHS appointments being cancelled after pathology services provider Synnovis was targeted.
The hackers were thought to have obtained confidential medical information and blood test results of more than 100,000 patients.
Last month, they were ordered by a High Court judge to unmask themselves and return or delete the stolen data.
And in July, Microsoft suffered a service outage which affected some of its apps and features which was sparked by an attempted cyber attack.
The US technology firm said problems on its Azure cloud platform had been triggered by a distributed denial-of-service (DDoS) attack, where hackers try to knock a platform offline by flooding it with traffic until it can no longer cope.