Cyber Incident Victim: Ukrzaliznytsia
Date:
Mar 2025
Location:
Ukraine
Summary
Ukrzaliznytsia, Ukraine’s national railway operator, experienced a large‑scale cyberattack that disabled its online ticket sales, website and mobile app services. In response, ticket offices were staffed with extra personnel, on‑board ticket issuance by conductors was authorized, and manual processes were set up for refunds and special requests while train services continued to run on schedule. The operator worked with the SBU Cyber Department, CERT‑UA and other experts, deploying backup infrastructure and conducting thorough diagnostics before restoring the affected systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 23 2025 Ukrzaliznytsia announced a technical failure in its IT system that disabled online ticket sales through its website and mobile application. Later the same day the railway confirmed that the disruption was caused by a large‑scale targeted cyberattack on its online systems. The organization stated that the attack had begun the previous day, as communicated in official statements on multiple channels. Despite the attack, Ukrzaliznytsia reported that its key ticket sales system remained operational, allowing ticket offices to continue issuing tickets. Train traffic was described as stable, with services running on schedule without delays because operational processes had been switched to backup mode, a resilience measure reinforced by prior cyber incidents.
The loss of online services forced passengers to purchase tickets at station box offices, resulting in overcrowding, long queues and frustration. In response Ukrzaliznytsia increased staff at ticket offices and expanded opening hours, for example doubling the number of open offices in Kyiv and later operating eighteen offices instead of the usual eight. International ticket sales, normally available only online, were made available at box offices for departures on March 24 and 25. Passengers who could not retrieve previously purchased electronic tickets were advised to use the PDF copy emailed to them or to present themselves at the station twenty minutes before departure and explain the situation to officials. Military personnel were permitted to buy tickets on board from train conductors, and civilians could also obtain travel arrangements directly on board with conductor assistance as a last resort. Ticket refunds were processed by sending a scan or clear photo of the ticket and a contact phone number to [email protected] at least one hour before departure, with refund applications handled within three days after system restoration. To accommodate demand, additional cars were added to certain trains, such as two cars to train No. 7/8 Kyiv‑Chernivtsi for the March 23 service.
Ukrzaliznytsia’s IT teams worked with the Cyber Department of the Security Service of Ukraine, the State Cyber Defense Center, the Government Computer Emergency Response Team (CERT‑UA) under the State Service for Special Communications, and the Kyivstar IT team to restore services. A backup infrastructure was deployed in a secure environment, and components were prepared for direct restart from backup copies of critical systems while thorough diagnostics and vulnerability checks were performed. Complex connections between different systems were being restored, and the railway continued to provide status updates, noting that queues at major stations were reduced to ten to fifteen minutes. The organization apologized for the inconvenience and thanked railway workers, passengers and partners for their support, stating that it would keep the public informed as recovery progressed.