A Lockbit ransomware attack on train operating company Merseyrail appears to have been the result of a successful compromise of a privileged Microsoft Office 365 account, prompting fresh warnings over the risks of spear-phishing and the importance of email security.
The Covid-hit transport operator confirmed the attack to Bleeping Computer, which was among a number of specialist technology news outlets – alongside national papers – contacted by the Lockbit operators during the attack, via an email that came from the account of Andy Heath, Merseyrail’s managing director since 2017.
“We can confirm that Merseyrail was recently subject to a cyber attack,” the spokesperson said. “A full investigation has been launched and is continuing. In the meantime, we have notified the relevant authorities.”
According to Bleeping Computer, the ransomware operators included in the email an image showing personal data on Merseyrail employees that the gang claimed to have stolen.
Besides news outlets, the email was also sent to internal staff to frighten them into putting pressure on their employer to pay, and as a means of publicly shaming the organisation into doing so. This is a known variant of the popular double extortion technique whereby stolen data is leaked, and Comparitech’s Brian Higgins said such strategies were becoming more common.
“Criminals have caught on to the fact that if their successful breaches are made public before their victims can implement any incident response plans, they have an extra layer of leverage to encourage payment more quickly,” said Higgins.
“Whether it’s contacting potentially affected customers or staff, or notifying the media, the added pressure to resolve the issue can often force victim organisations to bypass security policies and pay up.
“It would appear that in this particular instance, Merseyrail are holding their nerve and following industry standard protocols instead. It takes corporate courage to back up your data, inform the relevant authorities and keep hold of your cash. I hope Merseyrail come out of this successfully and provide a case study of good practice for future cyber crime victims.”
KnowBe4 security awareness advocate Javvad Malik said the attack was a timely reminder of why email accounts should be considered part of an organisation’s critical systems.
“Criminals will target emails as part of phishing attacks to install malware or attempt to take over email accounts so they can masquerade as employees, or siphon off critical information,” said Malik. “Organisations should ensure they have robust controls protecting their email, including email gateways, spam filters, multi-factor authentication, and user awareness and training.”
Armis European cyber risk officer Andy Norton said the nature of the attack on a provider of critical national infrastructure would raise further questions for Merseyrail, and may attract the attention of regulators empowered to fine it over the breach.
“The Department for Transport has published guidance for rail operators to implement cyber resilience and reference the International standard IEC 62443,” he said. “In addition, critical infrastructure is subject to the UK transposition of the NIS regulation, which is best implemented by adoption of the NCSC CAF 3.0.
“Either way, some pretty uncomfortable questions will be asked: What measures did you undertake to ensure your risk assessment was adequate? How do you validate that your defences are appropriate and proportionate? Both are fundamental requirements for due diligent governance.”
Computer Weekly understands the Information Commissioner’s Office has been made aware of the attack and is assessing its impact.