Pro-Russian hacktivist group NoName057(16) has claimed responsibility for taking down the website of the UK private railway company Gatwick Express.
The suspected Gatwick Express Cyber Attack started as an IT disruption on 21 May, with online ticket booking turning inaccessible. The website, which was inaccessible since 21 May, is currently operational.
Gatwick Express, operated by the Govia Thameslink Railway train operating company, provides an express rail passenger service between London Victoria, Gatwick Airport, and Brighton in South East England.
The service falls under the brand name of Gatwick Express, which is part of the Thameslink, Southern, and Great Northern franchise. The officials are yet to respond to our requests for comments.
Gatwick Express cyber attack explained
Gatwick Express started notifying about disruptions in its operations on 21 May. It advised passengers to allocate additional time to complete their journeys on 21 May and to consult live journey planners for the latest updates before heading to their respective stations.
Upon finding out that the Gatwick Express’ website was down, netizens shared post on Twitter where several users were complaining about the inadequacy of the transport website. “Your website and app is down/not working. Can’t book anything online”, read one of the Tweet by an passenger.
Gatwick Express, while replying to the passenger, confirmed that their website was indeed down, and it also shared an alternative method for booking tickets. “Hi there. Our website is currently down. You can purchase tickets at http://nationalrail.co.uk”, reads the company’s response on Twitter.
A Twitter user asked Gatwick Express about the status of the website. To which, Gatwick Express replied that “Our IT team is working to get the website up and running as soon as possible. Is there anything we can help you with in the meantime”.
Moreover, The Cyber Express has made efforts to verify the legitimacy of the Gatwick Express cyber attack by contacting the company. However, as of now, no official response or statement has been received from the company.
During our initial investigation on 21 May, we found that the official Gatwick Express website was offline, displaying a message, “The Gatwick Express website is currently unavailable.” The website turned operational later on 22 May.
The unavailability of a rail service website such as Gatwick Express could create inconvenience and confusion among passengers who rely on the service for their daily commute or travel to and from Gatwick Airport.
Without access to online ticketing services, passengers may also face challenges in purchasing tickets, potentially impacting their ability to travel seamlessly.
Gatwick Express cyber attack: The transportation sector in the UK under fire!
While the alleged Gatwick Express cyber attack can cause significant disruption, it is crucial to note that Go-Ahead (the official UK transportation franchise holder that also operates Gatwick Express) is no stranger to cyber attacks.
In 2022, Go-Ahead, one of the UK’s biggest transport companies that also runs the Great Northern, Thameslink, Gatwick Express, and Southern Rail, encountered an unexpected challenge when it discovered a fault on its server.
Upon reaching the initial attack phase, the threat actors then escalated the issue and began affecting various internal systems, including bus services and payroll software. These disruptions reverberated across multiple back-office functions.
Go-Ahead collaborated with IBM to activate their backup systems to ensure uninterrupted bus services. This collaboration aimed to safeguard the continuity of their bus operations, as per reports by The Guardian.
Fortunately, the cyber-attack has not impacted their rail business, as it operates on separate systems and functions normally in the UK and overseas.
NoName and European critical national infrastructure
NoName057(16), also recognized by aliases such as NoName05716, 05716nnm, or Nnm05716, has been actively supporting Russia since March 2022, along with other pro-Russian groups like Killnet.
In December 2022, the group made headlines for disrupting the website of the Polish government in response to Poland’s recognition of Russia as a state sponsor of terrorism.
More recently, NoName057(16) targeted the Danish financial sector, impacting leading financial institutions, according to reports from Reuters.
The primary objective of the NoName057(16) group is to disrupt websites that are critical of Russia’s invasion of Ukraine. They employ Distributed Denial of Service (DDoS) attacks as their method of choice for carrying out these disruption efforts.
Initially focusing on Ukrainian news websites, they later shifted their attention to targets associated with NATO.
For example, their first claimed disruptions were DDoS attacks in March 2022 on Ukrainian news and media websites such as Zaxid and Fakty UA. The group’s motivations revolve around silencing platforms they perceive as being anti-Russian.
This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Leave a Reply