Sergey Ermokhin / TASS
stories

Thanks for the data, suckers How information insecurity endangers Russian Railways passengers and risks prison for the company’s I.T. workers

Source: Meduza

On January 13, a hacker dubbed “LMonoceros” posted proof that he broke into the private network of Russian Railways (RZD) and accessed surveillance from cameras at train stations, on railway platforms, along rail tracks, and inside company offices. RZD employees contacted the hacker and together they patched the weakness in the network. This isn’t the first time Russian Railways has had problems with information security: In the past year and a half, the personal information of 700,000 employees and 1.3 million passengers has leaked, and the Wi-Fi aboard highspeed Sapsan trains was hacked in just 20 minutes. Meduza explains how RZD security problems threaten company employees.


An accidental incursion

On January 13, 2021, an I.T. specialist and hacker named Alexey (known as “LMonoceros”) wrote on the Habr online portal that he was able to hack into the Russian Railways internal network. The hacker claims that he gained unauthorized access unintentionally; LMonoceros analyzes routers that are unprotected from outside user connections.  

According to the hacker, with the help of the network scanner “Nmap,” he found a router with an open proxy server that was accessible without any authorization. Once connected, LMonoceros ran the scanner again, this time on the proxy server, and discovered that the router was connected to a private network linking more than 20,000 devices: video surveillance cameras, routers of various manufacturers, IP phones, and various other internal operating systems, such as the platform arrival/departure boards and the heating/cooling systems.

Most of the devices found on the network also were unsecured, the hacker says. Logins and passwords were “factory-set” (meaning the manufacturers set and publish this information in the device paperwork, often simply using “admin/admin”). LMonoceros was thus able to connect to these devices remotely.

The hacker also produced screenshots recorded from video surveillance cameras installed on RZD railroad tracks, platforms, and offices. “Even by a modest estimate, there are at least a thousand cameras [that can be hacked],” wrote LMonoceros, warning that unrestricted remote access could allow an intruder to disconnect cameras from the system without any difficulty. All it would take is the installation of a modified code — a task that could be managed within a week.

“RZD can’t quickly replace the cameras because it doesn’t have enough in reserve and would have to solicit contracts to purchase new ones, according to government procurement requirements. The entire railways will be without video surveillance for at least a month. And that presents a danger of terrorist threats,” the hacker explained.

LMonoceros also produced screenshots of interfaces from many other devices in the RZD private network and pointed out that he’s probably not the only one who discovered this network vulnerability. In the RZD router settings, he found a network connection unrelated to any of the company’s equipment. “There are lots of signs that someone [else] is lurking in this network,” he said.

After the hacker’s publication on Habr, the Russian Railways press service quickly announced an investigation and assured that “there was no leak of the Holding’s clients’ personal information, and there is no danger in traveling.” 

“We remind you that illegal access to computer information is a criminal offense,” the RZD spokesperson added. Not long afterward, LMonoceros revealed that specialists from the company had contacted him, and he says he helped them fix the vulnerability he discovered.

“Sapsan isn’t exactly the most secure. Things are even worse [than they seem]. One of our authors accessed RZD’s network without even being on the train. We explain how he did it, what RZD’s I.T. director didn’t do, and what could happen next.”

Not RZD’s first rodeo

In November 2019, another Habr user, a hacker dubbed keklick1337, described being able to break into the public Wi-Fi aboard a highspeed Sapsan train while traveling from St. Petersburg to Moscow. He claimed that he hacked the RZD public Wi-Fi out of curiosity, noticing that access to the Wi-Fi network required entering the last four digits of the passenger’s passport number, train car, and seat number. He thus surmised that passenger information is stored locally in the system, and decided to check how secure this information was.

It took about 20 minutes to access the information — “and that was only because the server was slow.” To pull it off, the hacker used the Nmap utility and public exploits (programs that execute attacks by using known weaknesses in program software). Keklick1337 scanned the network and discovered multiple network services with open ports; it turned out that they all ran on one server testing the limits of its RAM.

Passenger information from that trip and previous routes, explained the hacker, was stored in text format in a database on that Sapsan’s harddrive. “It was all designed so badly, the same passwords everywhere… Fix everything, RZD, and I’ll check it again in a couple of months,” wrote keklick1337, warning that any users who connected to Wi-Fi aboard a Sapsan train are susceptible to a “sniffing attack,” in which their traffic can be intercepted and analyzed with the aid of special software.

After that post, RZD director of I.T. Evgeny Charkin reported that the company tested its network and “found no vulnerabilities that would lead to leaks of critical information.” “How was the hack possible? This guy probably did it. Probably for fun. Maybe’s he’s some kind of wunderkind,” Charkin said.

Leaks of critical data nonetheless occurred both before and after the company I.T. director’s announcement. One such leak happened in August 2019, a couple of months before the Wi-Fi hack aboard Sapsan, when the personal information of 703,000 RZD employees (of only 732,000 employees at that time) appeared online. Whoever made off with the records left behind a mocking note that read: “Thanks, RZD, for the data supplied by such careful treatment of your own employees’ personal information.”

Russian Railways then turned to the police and, in a few months, an inquiry committee said it had apprehended a suspect: a 26-year-old man outside Krasnodar who was able to use the accounts of two company employees. The hacker was later convicted of felony crimes: unlawful access and unauthorized disclosure of commercial secrets.

The company nevertheless failed to avert an even bigger leak in November 2020, when the personal information of 1.4 million passengers appeared online. This information, it soon became apparent, belonged to registered users of “RZD Bonus.” The leaked file contained their hashed passwords, email addresses, IDs, registration dates, and the dates of their last entries in the system.

Russian Railways acknowledged an attempt to hack the RZD Bonus program but claimed that its security system prevented the hackers from accessing passenger information. According to RZD, the hackers gained access only to a file with company information. A company spokesperson added, “We are now conducting an internal investigation whose results will determine whether we hand it over to law enforcement.” 

Hackers aren’t the only ones who could do time

Current legislation makes RZD a subject of Russia’s Critical Information Infrastructure (CII) and could have consequences for the perpetrators who conduct cyberattacks against the company, as well as for employees responsible for preventing such attacks.

Article 274.1 of Russia’s Criminal Code, adopted in 2016, stipulates punishments for illegal violations of the Critical Information Infrastructure, threatening hackers with up to 10 years in prison (hackers tried under other statutes face more lenient penalties).

Article 274.1 stipulates incarceration for both the hacker and employees of the CII organization if the employees violate the company’s I.T. regulations, in the event that the violations cause damages. Under these circumstances, RZD staff could face up to six years behind bars.

Lawmakers defend these stricter penalties as a necessary defense of Russia’s critical information infrastructure, warning that cyberattacks against these targets could disrupt vital services and result in social, financial, and ecological disaster.

So far, the many security lapses and security breaches at Russian Railways have not caused a cataclysm. Instead, RZD recently promoted I.T. director Evgeny Charkin to serve as the company’s assistant general director.

Russian Railways general director Oleg Belozerov announced plans in late 2018 to invest 150 billion rubles ($2 billion) in digitizing the company’s operations, including improvements in information security. RZD’s new digital transformation strategy explicitly notes the need to “guarantee the continuity of business with the highest standards for information security.”

Recent hacks suggest that the company still has a long way to go.

Story by Maria Kolomychenko

Translation by Peter Bertero