Ransomware ‘likely’ to target transportation OT systems, warns EU cyber agency

Ransomware attacks have become the most significant cyberthreat facing the transport sector in the European Union, according to new analysis published Tuesday.

The 50-page report from the European Union Agency for Cybersecurity (ENISA) is the first analysis the agency has conducted into the threats facing the aviation, maritime, railway and road sectors.

It warns that while the majority of ransomware attacks to-date have targeted information technology (IT) systems such as databases, ransomware groups “will likely target and disrupt” operational technology (OT) systems “in the foreseeable future,” potentially causing even more significant effects for victims.

OT systems typically monitor or direct mechanical processes, making them particularly important for the safety of airports, ports, rail traffic and other aspects of the transport sector.

ENISA said that it has not received “reliable information” on such a cyberattack actually affecting the safety of transport, but that the risk of attacks on OT systems is growing due to digital transformation integrating the historically compartmentalized IT and OT systems.

The assumed urgency of the transport sector “to pay ransom to avoid any critical business and social impact” could also be driving more attacks, the agency assessed.

While the majority of attacks on the transport sectors in 2022 were conducted by criminals with a financial motive, state-sponsored groups appeared particularly interested in the maritime sector.

Attacks on ports in Europe, India and Iran have taken place in recent years for a range of purposes — from criminal ransomware attacks through to potential conflict pre-positioning and apparent retaliation among rival states.

Earlier this month, the U.S. Transportation Security Administration handed down new emergency cybersecurity protocols for airports and aircraft operators “because of persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector."

War in Ukraine

ENISA cited the Russian war in Ukraine as continuing to loom large over cybersecurity in general, with attacks impacting many organizations inside Ukraine and Russia, as well as in neighboring countries.

Microsoft ​​said Russia’s military cyber operations have expanded beyond Ukraine to hit Poland, referencing the “Prestige” ransomware attacks that targeted the country’s transport and logistics sector. Microsoft attributed these attacks to the Iridium hacking group associated with the GRU, Russia’s military intelligence agency.

The destructive impact of the Prestige ransomware attacks was limited, said Microsoft — hitting less than 20% of one targeted organization’s network — and the group “almost certainly collected intelligence on supply routes and logistics operations that could facilitate future attacks.”

European airports, railways and transport authorities have been targeted by “hacktivist elements with pro-Russian/anti-NATO sentiments,” added the report, although it said the capabilities of these groups “remain low and are largely limited to DDoS and defacement attacks.”

ENISA noted a ransomware attack on the Belarusian state-run train company in January 2022 “in a bid to disrupt Russian troop movements” when the attackers “deployed modified ransomware to bring down the railway system and encrypted servers, databases and workstations belonging to the Belarusian railway service.”

The majority of attacks on the rail sector are targeting IT systems, although researchers have warned about vulnerabilities in rail OT systems for many years.