Auckland Transport hit by another DDoS cyberattack: AT Mobile app and website impacted

Auckland Transport has been hit by a distributed denial of service (DDoS) cyberattack - the second in little over two weeks. Photo / Sylvie Whinray

Auckland Transport’s website, mobile app and live departure displays have been compromised again after another cyberattack.

An Auckland Transport (AT) spokesperson said they understood the latest attack was related to the most recent one, when a ransomware gang called Medusa demanded a US $1 million ransom, saying if it was not paid the group would release AT’s data online.

“The current issue is a malicious attempt to disrupt the traffic to our website, by overwhelming it with a flood of internet traffic - a distributed denial-of-service attack,” the spokesperson said.

“Customers are experiencing intermittent issues accessing our website, AT Mobile App, AT Park, Journey Planner and public information displays.

AT is currently experiencing a suspected DDoS attack impacting our AT Mobile & AT Park apps, website, Journey Planner, and public information displays.

You can still tag on and off with your HOP card, and top up at top up machines, AT customer service centres and retailers. https://t.co/3Mn6oYGF2U

— Auckland Transport Travel Alerts (@AT_TravelAlerts) September 29, 2023

“We are working to maintain security and access to our website but anticipate these issues unfortunately may be ongoing for some time.”

AT was “confident” no customer or financial data had been compromised, the spokesperson said.

Medusa hit AT with a ransomware attack on September 14.

Reacting to a Herald report on Medusa’s attack and threat to release AT data on the dark web if a US$1m ($1.7m) ransom was not paid, AT chief executive Dean Klimpton said they wouldn’t comply with the demand.

“AT is aware that Medusa has publicly announced a ransom for data,” Klimpton said.

“We have no interest in engaging with this illegal and malicious activity.”

Klimpton said there was no indication that personal or credit card data had been taken in the September 14 attack.

A distributed denial of service (DDoS) attack involves an army of bots that try to access a website simultaneously, overwhelming it and rendering it inaccessible to regular users.

Cyber experts have likened it to sheep blocking a country road. It blocks users but does not put any data at risk.

This afternoon’s DDoS attack appears as retaliation by Medusa for AT’s refusal to pay the cyber ransom - a spiteful move rather than one that puts any data at risk.

AT’s app also had an outage early this morning, but at the time AT put it down to a regular glitch and said it was not related to the cyber attack.

Brett Callow, a threat analyst with NZ-based security firm Emsisoft, notes Medusa also mounted a DDoS attack on Levare International, a Dubai-based maker of artificial limbs, on August 14.

Medusa first emerged in 2021 but didn’t grab headlines until this year.

Callow says the group has claimed responsibility for attacks on the Crown Princess Mary Cancer Centre in Australia, Tonga Communications and the Minneapolis public school system, in an incident where sensitive student and teacher files were leaked.

The gang’s home base remains unknown, but ransomware gangs are typically based in Eastern Europe or Russia - due to a mix of computing talent and authorities often being unwilling to co-operate with Western agencies.