Cyber Incident Victim: Department for Transport

On November 25, 2021, the UK Department for Transport (DfT) subdomain charts.dft.gov.uk, typically used to publish departmental statistics and business plans, began serving pornographic content to visitors. The incident was first identified by an entity referred to as The Crow, which also noted the primary dft.gov.uk domain redirected to a password-protected WordPress plugin page at eu-hauliers.dft.gov.uk during the investigation. BleepingComputer verified these anomalies, confirming that accessing charts.dft.gov.uk led to explicit material while the main DfT site remained inaccessible via its usual address. The DfT took the affected subdomain offline within hours of discovery, rendering it permanently unreachable. By the time of BleepingComputer’s report, the main dft.gov.uk domain had been restored to normal operation, though charts.dft.gov.uk remained decommissioned.

The root cause remained unclear, with two plausible scenarios under consideration: either threat actors hijacked a dormant AWS S3 instance linked to the Charts subdomain (a "dangling" resource) and repurposed it to host adult content, or attackers compromised DfT’s domain registrar systems to alter DNS records for charts.dft.gov.uk. A DfT spokesperson characterized the compromised site as a "disused, dormant page" and confirmed no data loss or compromise occurred beyond the defacement. The department permanently deleted the subdomain’s address as a containment measure. This incident mirrored prior compromises of government and news websites, including September 2021 attacks where US government sites displayed viagra ads and adult content via exploited third-party software, and July 2021 incidents where major news outlets embedded pornographic videos after the vid.me domain changed ownership. The DfT did not disclose technical details of its investigation or whether external parties assisted in remediation.