Introduction
On March 23, 2023 [3] [5] [6], Ukrzaliznytsia [2] [3] [4] [5] [6], Ukraine’s state-owned railway operator, experienced a significant cyber-attack attributed to Russian intelligence services. This attack disrupted its digital services, highlighting the vulnerability of critical infrastructure to cyber threats in politically sensitive regions [6].
Description
On March 23, 2023 [3] [5] [6], Ukrzaliznytsia [2] [3] [4] [5] [6], Ukraine’s state-owned railway operator, suffered a large-scale cyber-attack attributed to Russian intelligence services, which rendered its website and mobile application inoperable [6], preventing online ticket purchases [6]. Initially perceived as a technical failure [1], the incident was later identified as a sophisticated cyber-attack employing tactics, techniques [2] [3], and procedures characteristic of Russian intelligence [2] [3], along with unique malware designed to exploit vulnerabilities in the railway’s infrastructure [1]. Yevheniia Nakonechna [3] [4], Head of the State Cyber Protection Centre of Ukraine [3], described the attack as “an act of terrorism,” emphasizing its significant impact on millions of users and public services. The State Security Service (SBU) is currently investigating the incident to understand the hackers’ tactics and prevent future occurrences [4].
In response to the disruption, Ukrzaliznytsia increased operations at physical ticket offices [5], opening 18 counters at Kyiv’s central station [5], and forced customers to purchase tickets through these outlets. Oleksandr Pertsovskyi [2] [3] [4], Chairman of the Board of Ukrzaliznytsia [3] [4], confirmed that the online ticket purchasing website and mobile application were restored in a backup format after 89 hours of continuous work, with additional functionalities reinstated by March 30. Despite initial server overload issues, by March 29 [5], the online platform was functioning steadily after migrating to a new system [5]. Following the restoration, over 12,000 tickets were sold, and as of April 1, 90% of online passenger services had been restored, with ongoing efforts to reinstate services for shippers expected to be completed in early April [1]. Pertsovskyi noted that train operations were minimally affected [4], maintaining a 96% timeliness rate for train arrivals [4], as railway staff quickly adapted by implementing manual notifications for speed restrictions and increasing ticket office availability to handle a surge in demand [4].
On March 31, 2023 [5] [6], the Moscow Metro’s website and mobile application experienced significant disruptions [6], with users reporting issues accessing personal accounts and key features [6]. The metro’s website displayed a message suggesting a cyberattack [6], echoing the notification from the Ukrzaliznytsia incident. Up to 40,000 users reported problems with Moscow Metro services on the crash detection platform Downdetector.su [6], which featured a banner in Ukrainian referencing Ukrainian Railways [6], leading to speculation about a potential compromise of the Moscow Metro’s digital services [6]. Experts suspect that hackers may be involved in these disruptions [6], particularly given the timing and nature of the incidents [6], underscoring the increasing vulnerability of critical infrastructure to cyber threats in politically sensitive regions [6].
Pertsovskyi assured that there were no breaches of military or personal data during the incident, as such information is not stored in their systems [2]. He estimated that full restoration of all systems could take from four to six weeks to several months [2], but emphasized that well-prepared algorithms and procedures ensured that train operations continued without interruption. The restoration process included thorough checks of backup files and the implementation of enhanced cybersecurity measures [1], supported by IT specialists from various government agencies and businesses [1]. The cyberattack required significant resources for its execution [4], highlighting the ongoing hostile actions against the railway’s physical and cyber infrastructure [4].
Conclusion
The cyber-attack on Ukrzaliznytsia underscores the critical vulnerabilities in infrastructure systems, particularly in politically sensitive regions [6]. The incident prompted swift mitigation efforts, including increased physical ticket sales and the restoration of digital services. The attack’s implications extend beyond immediate disruptions, emphasizing the need for robust cybersecurity measures and international cooperation to safeguard essential services against future threats.
References
[1] https://kyivindependent.com/ukrainian-railways-cyberattack-russian-tactics/
[2] https://www.pravda.com.ua/eng/news/2025/04/1/7505522/
[3] https://www.infosecurity-magazine.com/news/ukraine-russia-railway-hack/
[4] https://en.interfax.com.ua/news/general/1060146.html
[5] https://english.nv.ua/business/russian-railways-hit-by-major-cyberattack-as-digital-battle-escalates-with-ukraine-50502564.html
[6] https://thecyberexpress.com/moscow-metro-disrupted/
