[BreachExchange] Railway Vehicle Maker Stadler Hit by Malware Attack

Destry Winant destry at riskbasedsecurity.com
Fri May 15 10:35:52 EDT 2020 

https://www.securityweek.com/railway-vehicle-maker-stadler-hit-malware-attack

Railway rolling stock manufacturer Stadler Rail is currently
investigating a malware attack that forced some of its systems
offline.

Headquartered in Bussnang, Switzerland, the company produces a variety
of trains (high-speed, intercity, regional and commuter heavy rail,
underground, and tram trains), and trams, and has roughly 11,000
employees at over 40 locations.

Last week, the Swiss manufacturer announced that what appears to be a
professional threat actor was able to compromise its network with
malware and to exfiltrate an unknown amount of data.

“Stadler internal surveillance services found out that the company’s
IT network has been attacked by malware which has most likely led to a
data leak. The scale of this leak has to be further analyzed,” the
company said in a press release.

The company did not provide details on the type of malware used in the
attack, but revealed that the miscreants were attempting to extort
money from Stadler by threatening to make stolen data public, in an
attempt to “harm Stadler and thereby also its employees”.

The company said it immediately took the necessary steps to contain
the incident and that it also engaged with an external team to launch
an investigation into the matter. Authorities were also alerted.

Stadler also revealed that the affected systems were being rebooted,
and underlined that its backup systems are functioning.

The company’s mentioning of systems having to be restored and of
backup data suggests that ransomware might have been used in the
attack.

Ransomware operators such as those behind Maze have been stealing
victim data and have attempted to extort more money by threatening to
make it public in the event a ransom is not paid, and the attack
described by Stadler fits the pattern.

Contacted by SecurityWeek, the Swiss manufacturer refrained from
providing additional details on the incident, given the ongoing
investigation.

More information about the BreachExchange mailing list