Cyber Incident Victim: Deutsche Bahn AG
Date:
May 2017
Location:
Germany
Summary
A widespread ransomware attack utilizing WannaCry malware disrupted operations across multiple sectors globally, including transportation systems. Deutsche Bahn experienced impacts to electronic information boards displaying train schedules at stations, though the company confirmed no disruption to actual train services occurred. The incident was part of a broader cyberattack affecting over 200,000 computers in numerous countries, targeting entities such as hospitals, government agencies, and corporations. While critical infrastructure components like Deutsche Bahn's operational servers remained unaffected, the attack highlighted vulnerabilities in public-facing systems reliant on networked devices. Other high-impact disruptions included healthcare services being forced to cancel appointments and industrial production halts at manufacturing facilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The WannaCry ransomware cyber-attack emerged globally around May 12, 2017, rapidly infecting over 200,000 computers across 150 countries. Among the affected entities was Deutsche Bahn, Germany's national railway operator, which experienced disruptions to electronic information boards at train stations that displayed arrival and departure times. Despite this compromise to passenger information systems, Deutsche Bahn confirmed no disruption to actual train services, indicating operational continuity for core transportation functions. The attack leveraged vulnerabilities in Microsoft Windows systems, with Russia registering the highest attempted infection rates according to Kaspersky Lab analyses—impacting the interior ministry, railways, banks, and telecom providers. Russia's interior ministry isolated approximately 1,000 infected computers but maintained critical server functionality through domestically developed software like the Elbrus operating system.
The ransomware encrypted files on compromised systems, demanding payments typically around $300 to restore access. In the UK, the National Health Service faced severe operational disruptions, with 48 trusts in England and 13 Scottish NHS organizations diverting patients due to locked systems. Renault halted production at multiple sites, while Nissan’s Sunderland factory and Spanish firms like Telefonica implemented containment measures. China reported extensive damage, including payment system failures at China National Petroleum Corporation petrol stations and academic disruptions at universities relying on outdated software. South Korea’s largest cinema chain experienced advertising server compromises, and Indonesia’s Dharmais Cancer Hospital resorted to manual record-keeping after patient files were encrypted. Despite widespread collateral damage, India’s critical infrastructure avoided major impacts through preemptive security patches. Deutsche Bahn’s experience exemplified the attack’s pattern of targeting peripheral systems without crippling essential services, though recovery efforts and financial losses varied significantly across sectors and regions.