Hackers crashed San Francisco’s Municipal railway systems

Last week, unknown attackers hacked the computer systems of the San Francisco’s Municipal railway giving riders a free ride all day on Saturday.

Last week, hackers crashed the computer system of the San Francisco’s Municipal railway, unknown attackers took offline the ticket kiosks offline and gave riders a free ride all day on Saturday, until Sunday morning.

Computers at the San Francisco Muni station computers displayed the message “You Hacked” on Saturday.

According to a spokesperson, the San Francisco’s Muni rail system  “opened the fare gates as a precaution to minimize customer impact.”

According to San Francisco’s CBS affiliate, the system had been hacked for days.

Hackers also breached the Muni’s email system and rumors say employees weren’t sure if they would get paid this week.

“Meanwhile, riders will continue to find the metro gates open, and the system is not reading their payment cards. The fare gates were still wide open Saturday at 6 p.m. at the Embarcadero Station.” reported the San Francisco’s CBS affiliate.

“Ticket kiosks were also out of service.” 

The San Francisco Municipal Transportation Agency, SFMTA, confirmed the cyber attack, but it confirmed that the incident has not affected any service.

A spokesperson with the transit agency tells KPIX 5 it is an ongoing investigation.

“There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact,” said Muni spokesperson Paul Rose. “Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.”

“I think it is terrifying,” said one rider. “I really do I think if they can start doing this you know here, we’re not safe anywhere.”

“I was like, is this part of Black Friday deal, or something?” added another.

Andrew Liptak from The Verge added further details about the attack, he reported that computer screens at MUNI stations displayed a message:

“You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.”

The Verge cited MUNI Spokesman Paul Rose who spoke to the Examiner and noted that his agency was “working to resolve the situation,” but refused to provide additional details.

The Verge reached the hacker who confirmed he was seeking a deal with MUNI to undo the damage:

“we don’t attention to interview and propagate news ! our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don’t want deal ! so we close this email tomorrow!”

The same hacker was mentioned in a report published by Morphus Labs in September when researchers linked the crook to a strain of ransomware called Mamba, which employs tactics similar to those demonstrated against MUNI.

Sources confirmed the investigation is ongoing, but at the time I was writing the experts at the transit agency have no idea who is responsible for the cyber attack.

Update November 28, 2016

Statement from CSOOnline

“The ransom demanded in cases like this will vary, but people close to the incident at SFMTA say the ransom is 100 BTC, or $73,184 USD with current exchange rates.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – San Francisco’s Municipal railway systems, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]