Cyber Incident Victim: Russian Railways JSC
Date:
Apr 2025
Location:
Russia
Summary
Russia’s state-owned railway experienced a distributed denial-of-service (DDoS) attack that disrupted its website and mobile application, temporarily preventing online ticket purchases while physical sales remained operational. The incident followed similar disruptions targeting Moscow’s subway system earlier that week and occurred amid broader cyber tensions, including a prior attack by suspected Russian hackers on Ukraine’s railway and an earlier data leak of employee information from the Russian railway’s corporate portal by a pro-Ukrainian group. While the perpetrator remained unidentified, Ukrainian officials highlighted the resource-intensive nature of such attacks following their own railway incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 1, 2025, Russia’s state-owned railway operator RZD reported a distributed denial-of-service (DDoS) attack that disrupted access to its website and mobile application. The incident marked the second cyberattack against a Russian transportation entity that week, following disruptions to Moscow’s subway system app and website on March 31. RZD confirmed the attack in a public statement on April 1, attributing the unavailability of its online services to the DDoS incident, which floods systems with junk traffic to block legitimate access. While digital platforms remained impaired, physical ticket sales at railway stations and terminals continued without interruption. RZD did not disclose the attack’s scale, duration, or restoration timeline, stating only that teams were working to resolve the issue. Downdetector, an outage monitoring service, confirmed ongoing disruptions to RZD’s digital services at the time of reporting. Russian users reported failures in loading the railway’s app and website, preventing online ticket purchases. The attack’s operational impact was confined to digital access points, with no reported effects on train schedules or physical infrastructure.
No threat actor claimed responsibility for the RZD attack as of the article’s publication. The incident occurred amid heightened tensions following a cyberattack by suspected Russian hackers against Ukraine’s national railway, Ukrzaliznytsia, which disrupted its app and website but spared train operations. Ukrainian cyber officials described the Ukrzaliznytsia attack as resource-intensive, involving custom malware tailored to the target’s infrastructure. RZD itself had faced prior cyber incidents, including a corporate portal data breach earlier in 2025 claimed by the pro-Ukrainian group CyberSec, which leaked over 500,000 employee records containing names, job titles, contact details, and 2025 vacation dates. RZD did not publicly acknowledge the validity of the leaked data or provide updates on that breach. The April 1 DDoS attack underscored recurring vulnerabilities in RZD’s digital services, though the company maintained continuity of core operations through offline alternatives.