Ransomware Attack on NARSTCO by Cicada3301

Overview of NARSTCO

NARSTCO, based in Midlothian, Texas, is North America's leading manufacturer and supplier of steel railroad ties and turnout sets. Established in 1996, the company has become a key player in the rail industry, providing innovative solutions to Class 1 railroads, transit authorities, short line railways, and industrial facilities. NARSTCO is known for its commitment to sustainability, producing high-quality steel ties from recycled materials sourced in the United States. The company employs between 51 to 200 individuals and generates annual revenues between $10 million and $25 million.

Details of the Attack

On July 25, 2024, NARSTCO fell victim to a ransomware attack orchestrated by the cybercriminal group Cicada3301. The attackers reportedly exfiltrated 80GB of data from NARSTCO's systems. Cicada3301 has threatened to publish the stolen data if NARSTCO does not make contact with them. The attack has raised significant concerns given NARSTCO's critical role in the rail industry and its extensive client base.

About Cicada3301

Cicada3301 is a relatively new threat actor group that emerged in June 2024. Unlike traditional ransomware groups, Cicada3301 operates as a data broker, focusing on stealing sensitive data and selling it on dark web marketplaces. This approach marks a shift from conventional ransomware tactics to more sustained and long-term damage strategies. Cicada3301 has already published data from four victims on its leak site, showcasing its capability to compromise and exfiltrate sensitive information.

Cicada 3301

To clarify, the name “Cicada 3301” was originally associated with an online puzzle that gained notoriety between 2012-2014. However, the name has since been appropriated by a separate and unrelated ransomware group, which has been the focus of recent reports, including ours.

Halcyon fully respects the legacy of the original “Cicada 3301” organization and recognizes their distinction from the activities of the ransomware group using the same name. Our reporting on the ransomware group is consistent with fair use, aiming to inform the public about cybersecurity threats.  For those interested in the original “Cicada 3301” and their official stance on this matter, we encourage you to visit their statement here.

We appreciate your understanding as we strive to maintain clarity and accuracy in our reporting.

Penetration and Vulnerabilities

While specific details on how Cicada3301 penetrated NARSTCO's systems are not publicly available, common vulnerabilities exploited by such groups include weak passwords, unpatched software, and phishing attacks. Given NARSTCO's significant role in the rail industry and its extensive use of technology in manufacturing, the company may have been targeted due to the high value of its data and the potential impact of operational disruptions.

Implications of the Attack

The attack on NARSTCO by Cicada3301 underscores the evolving nature of cyber threats, where data exfiltration and sale have become more prevalent. The exposure of sensitive data can lead to severe consequences, including identity theft, corporate espionage, regulatory penalties, and loss of customer trust. Organizations in critical infrastructure sectors like NARSTCO must remain vigilant and adopt robust cybersecurity measures to protect against such sophisticated threats.

Sources

   
• NARSTCO - RailWorks
   
• NARSTCO LinkedIn
   
• Ransomware Live Posts