Information security in Russian Railways

The main articles are:

• RUSSIAN RAILWAY
• Digitalization of Russian Railways

2025: Data breach: 0.5 million records in the merged file

On February 18, 2025, it became known that the personal data of Russian Railways employees were at the disposal of cybercriminals. The stolen base is freely available on the Internet.

According to the Telegram channel "Information Leaks," the merged file is of the JSON type - this is a text data exchange format based on JavaScript. The source who posted the database claims that the data was obtained from the service portal of Russian Railways employees.

𝓲

Фото: Unsplash

In total, the file contains more than 572.7 thousand records. These are surnames and names held by Russian Railways employees, e-mail addresses (including on nrr.rzd, dzv.org.rzd, orw.rzd and other internal domains), work phone numbers. The information is dated January 13, 2025.

As of February 19, 2025, Russian Railways does not comment on the situation in any way. Stolen personal data can be used to organize personalized phishing attacks and other fraudulent schemes. Knowing the names of Russian Railways employees, their phone numbers and postal addresses, cybercriminals can put victims to sleep. And this significantly increases the chances of success of a fraudulent campaign aimed, for example, at obtaining confidential corporate information.^[1]

2023

Russian Railways employees banned from using iPhone

Russian Railways banned employees from using iPhones at work. This became known on August 9, 2023.

Yes, indeed, it is forbidden to use the iPhone for official purposes, "a source in the transport industry told TASS, answering the agency's question.

Russian Railways banned employees from using iPhone at work

State bodies and companies began banning iPhones at work after the FSB reported disclosing a US intelligence action using the virus on Apple mobile devices. According to the FSB, several thousand smartphones of the American manufacturer were infected. In addition to Russian users, the special service also discovered a virus on the gadgets of foreign subscribers using SIM cards registered with diplomatic missions and embassies in Russia. We are talking about the infection of devices of employees of diplomatic agencies of NATO countries and the post-Soviet space, as well as Israel, Syria and China.

After this conclusion, a number of Russian ministries, departments and state-owned companies, in particular, the Ministry of Transport, the Ministry of Industry and Trade, Rostec, and Rosaviatsia, decided to abandon the use of the iPhone for official purposes.

Press Secretary of the Russian President Dmitry Peskov said that employees of the presidential administration also cannot use Apple mobile devices for work purposes. According to him, everyone knows that "these gadgets are absolutely transparent," and therefore their use in official communication is prohibited.

The head of the State Duma Committee on Information Policy, Alexander Khinshtein, promised in early August 2023 that the Russians would not be banned from using the iPhone. The deputy noted that so far the question of banning the use of Apple technology is not worth it. At the same time, he then recalled the verification of the security of Apple products by Roskomnadzor, calling it a necessary and relevant measure.^[2]

The details of the cyber attack on Russian Railways became known, because of which the site and mobile application did not work

In July 2023, details of a cyber attack on Russian Railways became known, due to which the company's website and mobile application did not work. According to a Vedomosti source in a company developing information security solutions, most likely we are talking about a DDoS attack. Igor Bederov, an expert at the SafeNet engineering center of the National Technology Initiative, agreed with the newspaper's interlocutor.

According to him, DDoS attacks have different vectors and are divided into levels 1 to 7 (L1-L7), ranging from simple attacks through fault tolerance to attacks that directly affect server hardware or software that controls an external site, system or server.

Details of a cyber attack on Russian Railways have become known

As a source in the company in the cybersecurity market explained to the publication, the attack occurs precisely at the L7 level, that is, attackers attack not a hosting provider, but a specific site and a specific application.

According to the newspaper, RTK-Solar is engaged in the protection of Russian Railways resources. The latter did not comment on this information at the request of Vedomosti.

A representative of Positive Technologies told the newspaper that the company provides Russian Railways with the necessary consulting and technological support in accordance with its appeals. At the same time, the representative of Russian Railways clarified that the company did not attract Positive Technologies for this situation. He additionally told Vedomosti that the company has built a comprehensive layered protection system against such attacks and RTK-Solar is not the only company protecting Russian Railways. The sources of the attack, he said, were dispersed around the world.

The attack once again turned out to be successful, because, as is usually the case with large corporations, Russian Railways was preparing for the "last war," a source in the information security solutions company told Vedomosti. - Methods that helped reduce symptoms in February 2022, such as blocking traffic from abroad via GeoIP, are now completely ineffective.[3]

The site and app have been down for three days due to a hacker attack

On July 3, 2023, failures began to occur in the work of the official website and mobile application of Russian Railways. The company confirmed the problems, saying that the computer infrastructure was subjected to a hacker attack.

According to CNews, the website of the largest Russian railway transportation operator has failed. At first, when trying to visit him, various error codes were issued. Users could order tickets for trains, but they were not displayed in their personal account after purchase. As of July 5, 2023, the Russian Railways website completely stopped opening. In addition, the proprietary application turned out to be inoperable.

Our website and mobile application were subjected to a massive hacker attack. We try to restore their work as quickly as possible. Ticket offices at stations and train stations operate normally, ticket sales are carried out as usual. We apologize for the inconvenience caused, the official notification of the railway carrier says.

CNews notes that the North-West Suburban Passenger Company (SZPPK), a joint venture organized by the authorities St. Petersburg and Russian Railways, responded to the incident. The SZPPK said that the failures may be associated with problems with Rostelecom"," but telecommunication the operator himself does not comment on the situation in any way. There is also no information about the timing of the restoration of the operability of the site and the Russian Railways mobile application.

Failures are observed not only on our site. Now we understand and will try to stabilize the work of the resource in the near future, - said representatives of the SZPPK.

According to CNews, Russians and guests of the country who cannot buy tickets at stations and train stations have to do this on third-party resources. However, in this case, passengers face overpayment in the form of a surcharge for the services of intermediaries.^[4]

Russian Railways recorded a 36% increase in cyber attacks on its infrastructure in 2023. Who attacked the company and how

In 2023, 4.8 million attacks on the infrastructure of Russian Railways were recorded, which is 36.3% more than in 2022. This was announced on February 8 at Infoforum-2024 by the director of Russian Railways, head of the information security department Yuri Noginov. Of these, 4.12 million attacks were external (an increase of 65.5%), and 689 thousand were internal (a decrease of 33.6%).

Statistics of attacks on the infrastructure of Russian Railways (data from the presentation of Yuri Noginov)

The vast majority of external attacks occurred in sending letters containing fraudulent messages, intrusive advertising or links to malicious resources - there were 3.5 million such incidents. And the main internal incidents were attempts to infect viruses - 618 thousand of them were recorded.

Statistics of attacks on the perimeter of the infrastructure of Russian Railways (data from the presentation of Yuri Noginov)

If we talk about attacks on the perimeter of the Russian Railways infrastructure, there were 596 thousand of them, of which 203 thousand were DDoS attacks, 140 thousand were vulnerability scans and 72 thousand were attempts to inject commands into database queries (SQL injections). However, the perimeter of Russian Railways was attacked quite variably - almost 110 thousand attacks did not fit the general classification.

According to Yuri Noginov, the infrastructure of Russian Railways was previously declared a terrorist cyber group "IT Army of Ukraine" as a priority target for attacks. Its stated goal is offensive actions on the military and civilian infrastructure of the Russian Federation, while it itself represents a distributed structure, which includes volunteers and amateurs - they are traditionally called "hacktivists."

Data on the activities of the terrorist cyber group "IT Army of Ukraine" (data from the presentation of Yuri Noginov)

The organizational core of the cyber group assigns targets for attacks by publishing their IP addresses, and distributes tools for committing destructive actions. Although the number of the group is indicated at 300 thousand people, these are subscribers to the official channel, which is watched by quite a few Russian information security specialists. They monitor the activities of the group in order to quickly respond to threats from its side. The co-organizer of the cyber group is the Minister of Digital Transformation of Ukraine Mikhail Fedorov.

The declared methods of attacks of this cyber group are aimed at IP addresses and media effect, but the main methods of activity are more fraudulent than hacker ones - to deceive or blackmail citizens Russia to harm the railway infrastructure of Russia.

Slide from the presentation of the cyber group "IT Army of Ukraine" (data from the presentation of Yuri Noginov)

In particular, Yuri Noginov noted that 200 arson of relay cabinets managing the railway infrastructure was recorded. The most characteristic case is the recent incident in Podolsk, when the inspector of the transport security unit of Russian Railways Roman Boldyrev for 3 thousand rubles. arson relay cabinet, which led to a delay of two electric trains near Moscow for 20 minutes. The case is being investigated - the defendant faces up to 20 years in prison.

Although the number of external attacks on the infrastructure of Russian Railways is increasing, malicious activity within the infrastructure is decreasing, which indicates that attacks on the perimeter are ineffective, as hackers penetrate inside less and less often. This was achieved through the implementation of security measures and the creation of a security infrastructure that allows you to quickly detect malware, localize it and does not allow it to spread within the corporate infrastructure, said Yuri Noginov.

The number of cyber attacks on the IT infrastructure of Russian Railways in 2 years has grown 20 times

The number of cyber attacks on IT infrastructure RUSSIAN RAILWAY January-November 2023 exceeded 600 thousand, which is 20 times more than in 2021. Such figures at the roundtable on facility safety critical information infrastructure () CUES at, transport organized by the Committee on Federation Council (Federation Council) Constitutional Legislation and State Construction, were cited by Ministry of Transport Dmitry Skachkov, Director of the Digital Development Department.

According to him, in January-November 2023, more than 30 "major incidents" were recorded during targeted attacks on objects of the transport industry. The increase in the number of attempted attacks "applies not only to Russian Railways," Skachkov said. The main goals of the attackers, according to the official, are gaining access to information, virus infection and DDoS attacks.

The number of cyber attacks on the IT infrastructure of Russian Railways exceeded 600 thousand.

As for the main problems in transport organizations, in 60% of cases they become outdated passwords. The representative of the Ministry of Transport also noted "blind trust in third-party organizations," through which attacks are also carried out.

Russian Railways is one of the largest enterprises in the Russian Federation, and it has a very extensive geography, as well as a large range of devices in its network. From various types of control systems for the movement of rolling stock, cameras and ending with the ticket ordering system. Therefore, it is not surprising that the infrastructure of Russian Railways has become an object for hackers. The more services and devices, the easier it is to attack, since the area of ​ ​ the attack is greatly increasing, - said Dmitry Ovchinnikov, chief specialist of the integrated information protection systems department of Gazinformservice, commenting on the data of the Ministry of Transport on the growing cyber attacks on Russian Railways[5]

2019: Data of 700 thousand Russian Railways employees were in the public domain

On August 27, 2019, it became known that the personal data of 703 thousand Russian Railways employees were publicly available on the Internet. The leak was reported in the technoblog by Habr.com specialist in corporate data protection, technical director of DeviceLock Ashot Hovhannisyan.

Such data as full name, date of birth, SNILS, address and phone number leaked to the Internet. In addition, positions and photographs of employees were made publicly available.

Where the leak came from is unknown, Hovhannisyan said, but there is speculation it is a security database.

Personal data of 703 thousand Russian Railways employees were publicly available on the Internet

In the comments to the post, users made several assumptions. For example, some believe that the data that was used when registering on a certain personnel portal launched six months ago could have been lost. Relatives of employees note that information security courses were held in Russian Railways. At the same time, logins and passwords for testing were provided by the company's security service.

According to Ashot Hovhannisyan, the attackers who gained access to someone else's data? thanked Russian Railways for "the information provided, by careful handling of the personal data of its employees."

A representative of Russian Railways told RBC that the company began an audit regarding the publication of personal data of company employees in open sources.

Materials are being prepared for transfer to law enforcement agencies, he added.

Russian Railways also said that the leak did not affect the personal data of customers, since the ticket sales system has protection for personal data of a high degree of reliability.

By the end of June 2019, the number of Russian Railways personnel was about 730 thousand people. Thus, the leak affected 96% of the employees of the railway operator.

A service portal has been created for Russian Railways employees. Employees of the company can also get access to their personal account from a computer, tablet and smartphone.

Notes