The fingerpointing starts as TfL cyber incident continues
The Transport for London (TfL) “cyber incident” is heading into its third day amid claims that a popular appliance might have been the gateway for criminals to gain access to the organization’s network.
TfL remains tightlipped over the nature of the incident and its broader impact, sticking instead to the line that there is currently no evidence of customer data being compromised or impact to TfL services. However, claims have emerged regarding how criminals got a foothold.
One source close to the matter told us, “The TfL hack was their Cisco VPN getting popped.” Other reports noted that pretty much all outbound internet has been cut and inbound restricted, presumably to permit all the employees who found themselves suddenly needing to work from home to get online.
We put the suggestion to TfL that attackers may have gained access through a Cisco or Netscaler appliance, but the organization told us it would be inappropriate to comment while the incident was ongoing. The alarm was raised when TfL spotted some suspicious activity during routine monitoring. Access was subsequently limited.
Other reports say that an abrupt termination of Wi-Fi was the first indicator that all was not well on the network.
The contactless and Oyster account login page remains offline for the time being, while TfL does “maintenance for contactless.” Other TfL functions, such as APIs used for live Tube times, are also currently offline, judging by sites such as Citymapper.
It is not unknown for researchers to point to vulnerabilities in Cisco hardware and software as handy access points for criminals. Deploying patches and keeping an eye on CVEs is an unpleasant game of whac-a-mole for administrators, but not keeping on top of things can have even more unpleasant consequences.
We asked Cisco if it wish to make a comment regarding the incident, but the the US company has yet to reply.
While TfL has remained silent during the incident, its containment steps – abruptly cutting off access – bear all the hallmarks of a reaction to a ransomware attack or exfiltration attempt. Its internal measures remain in place while the investigation takes place.
Depending on the nature of the breach, the UK’s Information Commissioner’s Office (ICO) should be notified within 72 hours. The Register asked the regulator if it had received a notification from TfL.
An ICO spokesperson wrote in an email, “Transport for London has made us aware of an incident and we are assessing the information provided.” ®