Cyberattack Hits Ukrzaliznytsia: Online Services Return After 89-Hour Recovery Effort

A cyberattack took down Ukrzaliznytsia’s systems for nearly four days. Ticket sales collapsed, pressure mounted, and Ukraine’s rail backbone was put to the test—right in the middle of a war.

Ukrzaliznytsia (UZ), Ukraine’s state railway operator, has confirmed a large-scale, targeted cyberattack on its IT infrastructure, which paralysed online services, including ticket sales, for several days. The attack, which began on 23 March 2025, caused widespread disruption to customer-facing systems and required 89 hours of round-the-clock restoration efforts, according to the company’s official statements and media reports.

UZ’s press service described the incident as a "systematic, non-trivial, and multi-layered" cyberattack, requiring intensive cooperation between its internal teams, external cybersecurity partners, and the Cyber Department of the Security Service of Ukraine (SBU). While train operations remained stable and uninterrupted, passengers were temporarily forced to rely on offline ticket purchases at stations, creating long queues and logistical pressure across the network.

Online Sales Collapse, Passengers Rerouted to Stations

Forbes Ukraine reported that all online systems failed early on 23 March, including ticket sales via UZ’s mobile app and website, as well as support and service request platforms. With 86% of all UZ tickets in 2024 sold online, the outage impacted thousands of passengers, many of whom were left scrambling for alternatives.

"This is an unprecedented cyberattack — targeted, complex and multilayered," wrote UZ Board Member Oleksandr Pertsovskyi on Facebook, confirming the scale of the incident. Despite the disruption, Pertsovskyi stressed that train schedules were unaffected and emergency protocols ensured safe and continuous rail operations. In response, UZ rapidly activated offline contingency measures. These included extending ticket sales hours, opening international ticket purchases at station counters (normally available only online), and redeploying staff to front-line customer service points. The railway also introduced temporary rules allowing onboard ticket purchases in critical cases.

Restoration After 89 Hours: Systems Running in Backup Mode

According to DOU.ua, UZ's technical teams, supported by SBU cyber experts, managed to bring the online systems back online in backup mode after 89 hours of effort. The partial recovery enables ticket purchases and refunds across all routes up to 20 days in advance. However, the platform remains under high load, and UZ has warned of possible temporary slowdowns or failures during peak hours.

The company urges passengers to use the mobile app only for urgent travel needs, noting that features such as ticket archives and full service functionality are still unavailable. Despite the disruption, no sensitive customer data was compromised, UZ confirmed. Passengers were also advised to check their email inboxes for PDF duplicates of valid tickets, and could also board trains using screenshots or bank payment receipts, offering flexibility during the ongoing stabilisation phase.

The Broader Implications: Resilience in Wartime Logistics

The attack on Ukrzaliznytsia shows the vulnerabilities of national infrastructure during wartime. While there has been no official attribution of the cyberattack, UZ has been repeatedly targeted in the past by cyber operations linked to Russia, especially since the full-scale invasion in 2022. As Reuters reported, the company confirmed the breach publicly only after alerting passengers about IT outages, encouraging them to purchase tickets at stations or onboard.

In a Telegram statement, UZ said: "The online sales system of Ukrzaliznytsia has been restored in a backup format... but due to high traffic, temporary interruptions are possible." The first 12,000 tickets were reportedly purchased shortly after the system came back online. Yet the incident also sparked wider concerns about digital resilience and redundancy, especially for a company so heavily relied upon for both passenger and military logistics during wartime.

UZ officials have reiterated that the railway operator maintains pre-established backup protocols due to its experience with prior attacks. According to the company’s statement to Forbes, "services are being tested for potential vulnerabilities before full restoration from backups", and "system integrity remains a top priority."

The fact that UZ was able to restore operations within four days — without any confirmed data leak — proves the value of multi-layered security frameworks and rapid-response infrastructure. However, the full scope of the breach remains unknown, and as ITC.ua pointed out, no public details have yet emerged regarding the attackers or their methods.

While UZ has overcome the immediate crisis, the company continues to urge patience from passengers. As systems stabilise, full service functionality — including historical ticket access, extended booking horizons, and support features — is expected to return gradually. For now, UZ’s focus remains on operational continuity, security validation, and preparing for future threats in an increasingly hostile digital landscape.

Sources: Forbes.ua; Ukrzaliznytsia; DOU.ua; Reuters; ITC.ua