News: 1725530411

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

The fingerpointing starts as cyber incident at London transport body continues

(2024/09/05)


The Transport for London (TfL) "cyber incident" is heading into its third day amid claims that a popular appliance might have been the gateway for criminals to gain access to the organization's network.

TfL remains tightlipped over the nature of the incident and its broader impact, sticking instead to the line that there is currently no evidence of customer data being compromised or impact to TfL services. However, claims have emerged regarding how criminals got a foothold.

One source close to the matter told us, "The TfL hack was their Cisco VPN getting popped." Other [1]reports noted that pretty much all outbound internet has been cut and inbound restricted, presumably to permit all the employees who found themselves suddenly needing to work from home to get online.

[2]

We put the suggestion to TfL that attackers may have gained access through a Cisco or Netscaler appliance, but the organization told us it would be inappropriate to comment while the incident was ongoing. The alarm was raised when TfL spotted some suspicious activity during routine monitoring. Access was subsequently limited.

[3]

[4]

Other [5]reports say that an abrupt termination of Wi-Fi was the first indicator that all was not well on the network.

The contactless and Oyster account login page remains offline for the time being, while TfL does "maintenance for contactless." Other TfL functions, such as APIs used for live Tube times, are also currently offline, judging by sites such as [6]Citymapper .

[7]

It is not unknown for researchers to point to vulnerabilities in Cisco hardware and software as handy access points for criminals. Deploying patches and keeping an eye on CVEs is an unpleasant game of whac-a-mole for administrators, but not keeping on top of things can have even more [8]unpleasant consequences .

[9]Transport for London confirms cyberattack, assures us all is well

[10]Uber's gig economy business model takes a blow from London legal double-whammy

[11]Mind the gap(ing mouth): London's Underground to get ubiquitous mobile phone coverage

[12]EE and Three mobe mast surveyors might 'upload some virus' to London Tube control centre, TfL told judge

We asked Cisco if it wish to make a comment regarding the incident, but the the US company has yet to reply.

While TfL has remained silent during the incident, its containment steps – abruptly cutting off access – bear all the hallmarks of a reaction to a ransomware attack or exfiltration attempt. Its internal measures remain in place while the investigation takes place.

Depending on the nature of the breach, the UK's Information Commissioner's Office (ICO) should be notified within 72 hours. The Register asked the regulator if it had received a notification from TfL.

An ICO spokesperson wrote in an email, "Transport for London has made us aware of an incident and we are assessing the information provided." ®

Get our [13]Tech Resources



[1] https://cyberplace.social/@GossiTheDog/113073627027560242

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZtnVoykchalPIihu11oQZwAAAUg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZtnVoykchalPIihu11oQZwAAAUg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZtnVoykchalPIihu11oQZwAAAUg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.reddit.com/r/london/comments/1f7cxuu/comment/ll6yavw/

[6] https://citymapper.com/london

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZtnVoykchalPIihu11oQZwAAAUg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/01/31/cisco_vuln_akira_attacks/

[9] https://www.theregister.com/2024/09/03/tfl_cyberattack/

[10] https://www.theregister.com/2021/12/06/uber_free_now_court_appeal_double_whammy/

[11] https://www.theregister.com/2021/06/22/londons_underground_mobile_coverage/

[12] https://www.theregister.com/2021/06/09/mobile_mast_surveyors_virus_upload_silliness/

[13] https://whitepapers.theregister.com/



Questionable position

Mike 137

" sticking instead to the line that there is currently no evidence of customer data being compromised "

Not a valid position. "we haven't found any evidence" does not equate to "there is no evidence". Largely depends on how much appropriate effort has been expended in looking for evidence.

Re: Questionable position

m4r35n357

"there is currently no evidence of customer data being compromised" - that is what the intruders want TfL to think, coincidentally it is also what TfL want their customers to think.

We don't stand a chance in this environment.

Re: Questionable position

elsergiovolador

"We are yet to squint harder"

Re: Questionable position

Headley_Grange

There's no valid position until they've done what they need to do to find out what's gone on and what's been compromised. For some unfathomanble reason the truth - "We don't know, leave us alone until we've found out at which point we'll be in touch." isn't an acceptable answer for the press nor its readers.

Re: Questionable position

Guy de Loimbard

Totally agree with your comment Headley_Grange, but there's no stopping the insatiable appetite from the press to stir things up when there's a void of truth, speculate and make some shit up just to keep people interested until you have something truthful to say, if you're interested in the truth of course?! YMMV

Re: Questionable position

ChrisC

That may be true, however I'd still prefer organisations to be truthful rather than, if this is what's happening, pandering to the demands from the media/masses for a more definitive/positively spun answer - better to say "sorry, we really don't know yet", than to attempt to assuage the court of public opinion and risk ending up on the wrong side of an *actual* court if it then turns out their optimistic spin was entirely without merit...

Re: Questionable position

0laf

Truthful? Somehow I think I'll die of old age before I hear the truth which will be the boardroom stating, "yeah we got nailed by some 14yr old skiddies from China who sent the CFO a phishing mail disguised as a discount voucher for a Thai massage parlor and he's clicked on it because he refuses to do any of the mandatory cyber security training, it contained 372 different sorts of malware but it got through because we cut the IT budget to 50p in 2013 and told them to keep running with the unsupported gear we bought in 2010 (still works yeah) and we've refused all downtime and overtime to do any patching for the last 18 months."

"The security of our customers date is our first concern", might be a complete lie but it's much easier to say, and they'll get away with it as always.

Re: Questionable position

Anonymous Coward

they will have been told to keep shtum by their cyber insurers I expect

Re: Questionable position

0laf

Indeed I think you're hovering around the old Sagan quote (thought it's really much older) - Absence of evidence is not evidence of absence.

And the the old "currently no evidence of customer data being compromised" is the first corner on your cyber-incident-boardroom-avoidance-of-truth bingo card.

Doctor Syntax

How much of the TfL IT environment is is actually TfL's and how much is outsourced?

Anonymous Coward

It's some time since I had reliable knowledge, but certainly in the past the "routine" IT - anything that could be tightly specified (corporate desktops, desktop software, network, email...) - was, I believe, managed by third parties.

However, the tight specification was focused very much on clerical needs and those departments for whom it was unsuitable were expected to make their own entirely separate (and disconnected) provision - though I don't think they got any of their top-sliced corporate IT budget refunded to help pay for it.

tip pc

How much of the TfL IT environment is is actually TfL's and how much is outsourced?

I thought it was all run by the outsourcer capita, but that looks like just the road charging side.

https://www.london.gov.uk/who-we-are/what-london-assembly-does/questions-mayor/find-an-answer/tfl-outsourcing

The Cake Liberation Organisation take their revenge?

Tron

TfL banned posters for a play called 'Tony n' Tina's Wedding' because they had a wedding cake on them. It was seen to promote "foods high in fat, salt and sugar".

The ULEZ is also run (by Capita) on behalf of TfL.

This may be one of the very few cases of ransomware where I shall withhold all sympathy.

Re: The Cake Liberation Organisation take their revenge?

MonkeyJuice

Please at least retain some sympathy for the millions of unfortunate corporate underlings forced to use TfL every day who may be impacted.

1 1 was a race-horse, 2 2 was 1 2. When 1 1 1 1 race, 2 2 1 1 2.