Wabtec suffers data breach and stolen data, as LockBit hackers likely behind attack

Rail infrastructure company Wabtec has notified of a personal data security breach of some individuals’ personal information being exploited in an incident that occurred across its U.S., Canada, U.K., and Brazil entities. The security breach is said to have taken place last year, potentially exposing personal and sensitive information. In addition to breaching the network and accessing certain systems containing sensitive information, Wabtec has also determined that malware was introduced into certain systems during the attack.

Wabtec said in its notice released late December that on Jun. 26, it became aware of unusual activity on its network and promptly began an internal investigation. “It was subsequently determined that malware was introduced into certain systems as early as March 15, 2022. Wabtec, with the assistance of leading cybersecurity firms, assessed the scope of the incident to, among other things, determine if personal data may have been affected. Additionally, shortly after discovery of the event, Wabtec notified the Federal Bureau of Investigation.”

The Pittsburgh, Pennsylvania-headquartered company said that it has taken additional steps to reinforce the integrity and security of its systems and operations, including implementing additional procedural safeguards. While Wabtec did not specify the number of affected users in the attack, it said it has been notifying all applicable regulatory and data protection authorities, as required.

Wabtec said that the forensic investigation did reveal that certain systems containing sensitive information were subject to unauthorized access and that a certain amount of data was taken from the company’s environment in the June attack. Subsequently, “the information was later posted to the threat actor’s leak site,” it added. 

“On November 23, 2022, Wabtec, with the assistance of data review specialists, determined that personal information was contained within the impacted files,” according to the company. “On December 30, 2022, Wabtec began notifying affected individuals, per relevant regulations, with a formal letter, to let them know their data was involved,” it added. 

Wabtec said that breached information varies by individual, but includes a combination of data elements, such as first and last name, date of birth, non-US national ID number, non-US social insurance number or fiscal code, passport number, IP address, employer identification number (EIN), and USCIS or alien registration number. Hackers also targeted NHS (National Health Service) numbers (UK), and medical record/health insurance information. 

Part of the exploited data also included social security number (US), financial account information, payment card information, account username and password, biometric information, race/ethnicity, criminal conviction, or offense.

Given the timing of the attack disclosure by Wabtec, there was a Jun. 27 news report by Erie News Now that attributed multiple sources working at Wabtec’s Erie plant. These sources cited a possible ransomware attack allegedly impacting the ability of employees to log onto the company network and do their jobs. However, the company did not validate the reports of the attack at the time. 

Following this reveal, Bleeping Computer reported that a couple of weeks later, LockBit published samples of data stolen from Wabtec and eventually leaked all stolen data on Aug. 20, presumably after a ransom was not paid. “As Wabtec explains now, its investigation of the incident was concluded on November 23rd, 2022, when data review specialists confirmed that LockBit had stolen files containing sensitive personal information,” it added.

Commenting on the Wabtec attack, Ron Fabela, CTO and co-founder at SynSaber, wrote in an emailed statement that the attack appears to be a straightforward double-extortion attack with the sensitive files published back in August 2022. “What’s intriguing is that although the files were published back in August, Wabtec is just now reporting the data lost. This lag in breach reporting is not uncommon and continues to be a focus for industry and government policy makers,” he added.

Although Wabtec being a freight rail company has some interest, there’s no evidence anything specific to the industrial control systems, plant operations, or other non-HR data was affected by the attack, Fabela said. “While industrial processes are not the intended target, widespread IT outages can have a splash damage effect on processes. All organizations, including those within ICS, must continue to be vigilant as successful ransomware attacks trend upwards,” he added.

This is not the first time that ransomware hackers have targeted the rail sector. Data published by industrial cybersecurity company Waterfall Security last May disclosed that ransomware played a role in the July 2021 rails incident in Iran. 

“OT ransomware incidents with physical consequences have thus increased 133% year-over-year from 2020 (from 9 to 22),” Courtney Schneider, a cyber policy research manager at Waterfall, wrote in a company post. “Most of these attacks impacted multiple sites. Published estimates of damage ranged up to $140m per incident. In most of these attacks, IT assets were reported to be impaired, while a minority of attacks manipulated or impaired OT assets directly,” she added. 

The Wabtec breach comes at a time when the critical infrastructure sector around the world is facing ransomware attacks, leading to critical operational downtime and disruption. 

The website of the Port of Lisbon (Porto de Lisboa) remains down for nearly ten days after officials confirmed cyber attackers targeted it. Around the same time, the LockBit ransomware group added the organization to its extortion site, claiming the ransomware attack.

Late last month, Copper Mountain Mining Corporation disclosed that IT systems at its Copper Mountain Mine and corporate office were subject to a ransomware attack in late December. “The company quickly implemented its risk management systems and protocols in response to the attack.” 

Additionally, the company is said to have isolated operations and switched to manual processes, where possible, and the mill has been preventatively shut down to determine the effect on its control system. 

Last October, the U.S. Transportation Security Administration (TSA) rolled out a cybersecurity security directive regulating designated passenger and freight railroad carriers to enhance cybersecurity resilience by focusing on performance-based measures. The initiative comes after extensive input from industry stakeholders and consultations with the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense, and the Department of Transportation. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.