After last month’s targeted and complex cyber attack on Ukrzaliznytsia that led to a disruption of online ticket sales and cargo registration, the rail operator has identified a distinct ‘Russian trace’ in the incident. Currently, up to 90 percent of essential online passenger services have been restored. Ukrainian Railways specialists ‘plan to launch online services for freight forwarders during the first decade of April.’
Ukraine’s state-owned railway company said in a statement that it took four days of relentless work to restore crucial services, prioritizing passenger ones. Customer database remains safe, nevertheless, the system still requires a profound amount of effort from the specialists. Ukrainian Railways was provided with assistance from IT specialists from state authorities and businesses – both expert and technical — in the process of restoring online ticket services.
Also, restoration of online services from backup files is done with a thorough verification for hidden threats and the implementation of additional security measures.
“During the large-scale cyberattack on Ukrzaliznytsia, not only online ticketing and service systems were impacted but also the company’s servers,” a spokeswoman at the Ukrainian Railways told Industrial Cyber. “The attack partially affected corporate email services, office computers, the document management system, and some internal corporate resources.”
She added that the company’s IT specialists worked promptly to restore operations, implementing additional measures to protect data and stabilize the digital infrastructure. “Employees switched to backup computers, activated alternative communication channels, and partially transitioned to paper-based processes. Despite the cyberattack, all Ukrzaliznytsia services continue to operate as usual, ensuring stable passenger and freight transportation.”
She declined to disclose information on the number and type of systems that were attacked, including whether they were part of the IT infrastructure or operational infrastructure.
Recognizing that Ukrzaliznytsia has previously been the target of cyberattacks, the spokeswoman explained that the company has developed a comprehensive cybersecurity system over the years, incorporating both technical and organizational strategies. “We have perimeter protection and clearly defined incident response protocols. Due to security reasons, the details of these protocols are not disclosed.”
However, she added that in critical situations, the company has procedures in place for switching to manual operations, processing documents outside of digital systems, and maintaining the functionality of all offline services.
Noting that the consequences of the cyberattack hit passengers the hardest, as most are used to buying tickets online, Ukrzaliznytsia said that 123 additional ticket offices were opened at Ukrainian train stations. For instance, at the Kyiv Railway Station, 32 ticket offices were operating at its peak instead of the usual eight. Additional ticket offices were also opened in Lviv, Dnipro, Odessa, Kharkiv, Vinnytsia and a number of suburban stations. In four days, 155 520 tickets were sold through ticket offices.
The average time in the queue was 15 minutes, and at its peak reached 100 minutes. In such cases, mobile support groups – employees of the Passenger and Station Companies – issued tickets directly on board the trains. At least 500 passengers were boarded in such a way. Cashiers worked in an enhanced mode in several shifts, and 48 additional employees were involved.
“To support passengers who spent additional time in queues, dozens of Ukrainian brands offered special discounts and bonuses to holders of paper tickets purchased during the period of disconnection of the online system,” Ukrzaliznytsia stated. “In addition to online ticket sales, online scoreboards and issuance of preferential travel documents have already been restored. The ‘Iron Friends’ loyalty program will return soon, and with it — all accumulated ‘hugs’ and additional bonuses for the inconvenience.”
This week, Russia’s state-owned railway company, RZD, reportedly announced on Tuesday that it was hit by a cyberattack that temporarily disrupted its website and mobile app. This marks the second incident this week affecting a Russian transportation agency, following issues with Moscow’s subway system app and website on Monday.
On Tuesday, RZD stated that its online services were down due to a distributed denial-of-service (DDoS) attack. Despite this, ticket sales continued at physical locations in stations and terminals, the company noted.
“We are working to restore their operation as quickly as possible,” the statement said. RZD has not disclosed the extent of the attack or when services will be fully restored. DDoS attacks overwhelm websites with excessive traffic, aiming to make them inaccessible.
