Cyber attack on rail vehicle manufacturer Stadler/Switzerland

[German]Stadler Rail, a manufacturer of rail vehicles based in Thurgau, Switzerland, has been the victim of a cyber attack. The company's IT network was infected with malware. Addendum: The cyber gang has begun to release extincted data.

Swizz blog reader Adrian W. informed me about the incident by e-mail a few hours ago. The incident is being covered here and here by Swiss media.

Who is Stadler Rail?

Stadler Rail AG (also Stadler Rail Group), based in Bussnang, Switzerland, is a manufacturer of rail vehicles. The product focus is on powered vehicles such as multiple units, light rail vehicles and locomotives. One specialty is tailor-made individual railway products and rack-and-pinion railway vehicles.

The company is organized as a holding company and consists of 15 subsidiaries in different countries. Stadler Rail employs more than 8500 people worldwide.

What has happened?

In a statement Stadler writes, hat the IT network was attacked with malware. The company immediately initiated the necessary security measures and involved the responsible authorities, the release states. A detailed investigation of the matter is currently still ongoing.

They became aware of the attack because Stadler's internal monitoring services have determined that the company's IT network was attacked with malware. The company suspects that it is highly probable that a data outflow of unknown extent has taken place.

The manufacturer states that the unknown attackers are trying to extort large sums of money from Stadler and put pressure on him with the possible publication of data. This is the classic ransomware method, which, in addition to encrypting data and ransom demands, threatens to publish captured data. According to this media, other Stadler locations are also affected.

Backup available, systems up again

Stadler claims to have immediately initiated the necessary safety measures, called in external specialists and involved the responsible authorities. The company's backup data is fully available and functional. At the moment all impaired systems are being restarted. Despite the corona pandemic and the cyber attack, the continuation of the production of new trains as well as Stadler's services is guaranteed.

Ransome with leaked data

Addendum May 29, 2020: A few hours ago I received information from security researchers that the gang behind the Stadler ransomware attack has probably captured data and is starting to publish it on Darknet. The captured or published data is (according to the file list I can see) confidential, but very dry stuff (annual financial statements, contracts, financial manuals, budget planning etc.).

I decided ad hoc not to report on this incident immediately (won't provide a public forum for the ransomware gang) and spoke to Stadler's Corporate Communications department in advance. A spokeswoman informed me of the following:

After the cyber attack in early May (media release of 7 May 2020), the perpetrators blackmailed Stadler by publishing the stolen data and demanded payment of six million US dollars in Bitcoin.

Stadler is not and was at no time prepared to make payments to the blackmailers and has not entered into the negotiations. As a result, the perpetrators have now published internal documents of Stadler in order to harm Stadler and his employees.

I think this consistent attitude is good, because otherwise the business model of the cyber criminals will be supported. The documents published online cannot be used legally by 'interested parties'. Stadler has therefore filed a complaint at its headquarters in Switzerland. The Thurgau public prosecutor's office is currently conducting proceedings. Stadler has also contacted the data protection authorities in all countries where it has offices.