Public Wi-Fi services at 19 key railway stations across the UK, including several major terminals in London, are currently being restored following a cyber attack that resulted in the display of Islamophobic messages on login pages for users attempting to connect.
The incident, which is suspected to be carried out by far-right hacktivists—though this has not been confirmed—occurred during the busy evening rush on Wednesday, September 25. As a precaution, the services were taken offline while investigations and fixes were implemented. As of now, the Wi-Fi remains disrupted and may take up to 48 hours to be fully operational again.
Network Rail issued a brief statement regarding the incident, saying: “Last night, the public Wi-Fi at 19 of Network Rail’s managed stations experienced a cybersecurity incident and was swiftly taken offline. A thorough investigation is currently in progress. The Wi-Fi, provided by a third-party vendor, operates independently and is a simple ‘click and connect’ setup that does not gather personal information. We expect to restore the service by the weekend after completing final security checks.”
Telent, which manages the affected networks, stated: “In response to the cyber incident involving the public Wi-Fi at Network Rail’s managed stations, Telent has been collaborating with Network Rail and other parties. Investigations with Global Reach, the Wi-Fi landing page provider, revealed that an unauthorized modification was made to the Network Rail page, and the case is now under criminal investigation by the British Transport Police. No personal data has been compromised. As a precautionary measure, Telent has temporarily suspended all Global Reach services while ensuring that no other customers were affected.”
The impacted stations include Birmingham New Street, Bristol Temple Meads, Clapham Junction, Edinburgh Waverley, Glasgow Central, Guildford, Leeds, Liverpool Lime Street, London Bridge, London Cannon Street, London Charing Cross, London Euston, London King’s Cross, London Liverpool Street, London Paddington, London Victoria, London Waterloo, Manchester Piccadilly, and Reading.
Assessing the Threat: Lone Attacker or Nation-State Involvement?
While many experts have pointed out the vulnerabilities facing critical infrastructure like the UK’s rail system against attacks exploiting related systems, the specific nature of the incident involving Network Rail suggests it may not be the work of financially driven cybercriminals. The possibility of involvement by a nation-state actor remains uncertain, particularly as such actors are known to sometimes disguise themselves as disruptive online hacktivists—a trend that has increased since Russia’s invasion of Ukraine in 2022.
Jake Moore, global cybersecurity adviser at ESET, commented: “Cyber attacks frequently operate in stealth, aiming to execute objectives unnoticed until significant damage has occurred. However, the defacement of the Wi-Fi login screen with a provocative message may indicate a motive focused on testing the system’s security rather than posing a real threat. The attack likely exploited the weakest link in the supply chain, probably through a phishing campaign.
“Financially motivated cybercriminals typically seek data for theft or sabotage, often followed by ransom demands. In this case, however, it appears there has been no such demand, only an implied need for enhanced security measures following a separate incident involving Transport for London earlier this month.”