Since war first broke out between Ukraine and Russia in 2014, Russian hackers have at times used some of the most sophisticated hacking techniques ever seen in the wild to destroy Ukrainian networks, disrupt the country’s satellite communications, and even trigger blackouts for hundreds of thousands of Ukrainian citizens. But the mysterious saboteurs who have, over the last two days, disrupted Poland’s railway system—a major piece of transit infrastructure for NATO’s support of Ukraine—appear to have used a far less impressive form of technical mischief: Spoof a simple radio command to the trains that triggers their emergency stop function.
On Friday and Saturday, more than 20 of Poland’s trains carrying both freight and passengers were brought to a halt across the country through what Polish media and the BBC have described as a “cyberattack.” Polish intelligence services are investigating the sabotage incidents, which appear to have been carried out in support of Russia. The saboteurs reportedly interspersed the commands they used to stop the trains with the Russian national anthem and parts of a speech by Russian president Vladimir Putin.
Poland’s railway system, after all, has served as a key source of Western weapons and other aid flowing into Ukraine as NATO attempts to bolster the country’s defense against Russia’s invasion. “We know that for some months there have been attempts to destabilize the Polish state,” Stanislaw Zaryn, a senior security official, told the Polish Press Agency. “For the moment, we are ruling nothing out.”
But as disruptive as the railway sabotage has been, on closer inspection, the “cyberattack” doesn’t seem to have involved any “cyber” at all, according to Lukasz Olejnik, a Polish-speaking independent cybersecurity researcher and consultant and author of the forthcoming book Philosophy of Cybersecurity. In fact, the saboteurs appear to have sent simple so-called “radio-stop” commands via radio frequency to the trains they targeted. Because the trains use a radio system that lacks encryption or authentication for those commands, Olejnik says, anyone with as little as $30 of off-the-shelf radio equipment can broadcast the command to a Polish train—sending a series of three acoustic tones at a 150.100 megahertz frequency—and trigger their emergency stop function.
“It is three tonal messages sent consecutively. Once the radio equipment receives it, the locomotive goes to a halt,” Olejnik says, pointing to a document outlining trains’ different technical standards in the European Union that describes the “radio-stop” command used in the Polish system. In fact, Olejnik says that the ability to send the command has been described in Polish radio and train forums and on YouTube for years. “Everybody could do this. Even teenagers trolling. The frequencies are known. The tones are known. The equipment is cheap.”
Poland’s national transportation agency has stated its intention to upgrade Poland’s railway systems by 2025 to use almost exclusively GSM cellular radios, which do have encryption and authentication. But until then, it will continue to use the relatively unprotected VHF 150 MHz system that allows the “radio-stop” commands to be spoofed.
The only real limitation of the train-paralyzing radio attack, Olejnik says, would be that the saboteurs would have to be relatively close to the target trains—somewhere from hundreds of feet to miles, depending on the power of the radio equipment used in their disruption operation. (Olejnik was careful to note that he hasn’t tested the attack himself.) Given that the disruptions appear to have occurred in three different Polish administrative regions across the country, getting that equipment close enough to all the target trains would likely have been the biggest challenge for the saboteurs. “It is really a cheap operation,” Olejnik says. “The biggest risk is the need of being in proximity.”
Polish State Railways didn’t immediately respond to WIRED’s request for comment. But a statement from the railways agency notes that the train disruptions were due to “unauthorized broadcasting of the radio-stop signal” sent “by means of a radiotelephone by an unknown perpetrator.” The statement adds that “receiving a radio-stop signal results in an immediate stop of all trains whose radios operate on a given frequency.”
Despite those automated emergency stops, the railway agency wrote that “there is no threat to rail passengers. The result of this event is only difficulties in the running of trains.” The Polish Press Agency reported no injuries or damage as a result of the radio sabotage operation.
If Russia or its supporters have in fact sabotaged the railway system of Ukraine’s ally, the operation wouldn’t be without precedent. In fact, Belarusian dissident hackers known as the Cyber Partisans protested Belarus’s support of the Russian military by launching their own rare political ransomware attack against Belarus’s Railways’ IT network in January of 2022, in an attempt to prevent Belarus’s participation in the invasion that came just a month later.
This disruption of Poland’s rail system doesn’t appear to have required any such ransomware or even a penetration of a digital network. But Olejnik cautions that the simplicity of the attack shouldn’t lead anyone to underestimate its effects, which may continue to play out given the difficulty of preventing the radio attack on Polish trains’ unauthenticated communication systems.
“When you’re a hub of support to war-stricken Ukraine, you’re indeed a target,” says Olejnik. “Low-hanging fruits are always the best approach.”
Additional reporting by Lily Hay Newman.
