Largest switching and terminal railroad in US investigating ransomware data theft

The largest switching and terminal railroad in the U.S. is investigating the theft of data by a ransomware group.

The Belt Railway Company of Chicago — based in Bedford Park, Illinois — is co-owned by six railroad companies in the U.S. and Canada, each of which uses the company’s switching and interchange facilities.

Operating about 28 miles of railroads, the company allows its owners to bring their trains to the headquarters where they are separated and reorganized. They also provide services to more than 100 local manufacturing companies that ship products across North America.

On Thursday evening, the Akira ransomware gang added the company to its leak site, claiming to have stolen 85 GB of data.

Christopher Steinway, general counsel of Belt Railway, told Recorded Future News that it recently became aware that “a threat actor group posted on its website that it had obtained certain company information.”

“The event did not impact our operations. We have engaged a leading cybersecurity firm to investigate the incident and are working with federal law enforcement,” Steinway said.

“Our investigation remains ongoing.”

#Akira has listed the Belt Railway Company of Chicago which, according to the company's website, "is the largest intermediate switching terminal railroad in the US." #ransomware pic.twitter.com/GPyMhSfKTx

— Brett Callow (@BrettCallow) August 10, 2023

The alleged attack comes as the Transportation Security Administration has sought to take a tougher line with important critical infrastructure like railroads.

The TSA issued new rules governing the cybersecurity of important railways in 2021 and renewed those in October.

Carriers are now mandated to develop network segmentation policies and controls that separate operational technology systems from other IT systems in case of compromise.

The new directives also order carriers to create access control measures, build out detection policies for cyberthreats and implement timely patching or updating processes for operating systems, applications, drivers and firmware.

Belt Railway actually published a blog post four weeks ago from Director of Information Technology Robert Whitlock that explained its efforts to comply with the new regulations.

The blog post says the company passed a TSA audit but received recommendations from regulators that were later implemented.

Whitlock said the plan of action to secure the company’s technological infrastructure and eliminate potential vulnerabilities is also slated to be reviewed by TSA. He also planned to conduct a tabletop exercise this summer that would make “the Belt the first railroad in the country to do so.”

Anne Neuberger, White House deputy national security adviser for cyber and emerging technology, hosted a group of railroad executives last August for a classified briefing about the cyberthreats posed by nation-states like Russia and China.

There have been multiple cyberattacks on railway giants over the last year, including a breach of one of the world’s largest rail and locomotive companies.

The Akira ransomware gang emerged in March 2023 and has since compromised at least 63 victims, including the government of Nassau Bay in Texas; Bluefield University; a state-owned bank in South Africa; major foreign exchange broker London Capital Group; and Yamaha’s Canadian music division.