Merseyrail, one of UK’s rail networks, has been hit in a cyberattack. They learned about the breach in an email they received from a ransomware gang that used the railway’s own email system to email employees and journalists about the hack.
Merseyrail is a suburban railway network serving Liverpool, England, the surrounding Liverpool City Region, the Wirral Peninsula, and adjacent areas of Cheshire and Lancashire.
“We can confirm that Merseyrail was recently subject to a cyber-attack. A full investigation has been launched and is continuing. In the meantime, we have notified the relevant authorities,” BleepingComputer, a popular cybersecurity blog, was one the first to learn about the attack. They received “a mysterious email” earlier this month purportedly from Andy Heath, the Director of Merseyrail, with the subject “Lockbit Ransomware Attack and Data Theft.” While not for sure, this title links the attack to the Lockbit Ransomware gang.
Besides BleepingComputer attackers sent this email to various UK newspapers and staff members of Merseyrail.
Later it turned out that the Lockbit Ransomware gang managed to take over the Director’s @merseyrail.org Office 365 email account and send this email. In the email, the threat actors impersonated Merseyrail’s Director to tell employees that the company suffered a large ransomware attack in which hackers stole employee and customer data.
To prove their point, attackers included an image showing an employee’s personal information that they allegedly stole.
After numerous attempts to contact Merseryrail, BeepingComputer finally received a reply saying they couldn’t reveal any details because it would have been inappropriate “to comment further while the investigation is underway.”
According to BeepingComputer, the UK Information Commissioner’s Office (ICO) also confirmed Merseyrail’s “incident.”
“Merseyrail has made us aware of an incident and we are assessing the information provided,” the ICO told BleepingComputer via email.
Over the past year, ransomware gangs have become increasingly aggressive in their tactics and have been asking for increasingly high ransom amounts. In addition, attackers used a wider range of tactics that included DDoS attacks and threatening to contact stock exchanges and reveal secret details on police informants.