Rolling stock manufacturer Newag, Poland’s Lower Silesian Railways (LSR), and a group of hackers called Dragon Sector, are locked in a three-way legal argument surrounding 11 trains that somewhat mysteriously stopped working, and were later “repaired”. 

Back in 2022, the rail operator in the Lower Silesia region of Poland reported that four of its Impuls locomotives would not start, so it sent them for maintenance. 

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

But LSR did not send the train back to Newag, the manufacturer, rather they were sent to independent mechanics Serwis Pojazdów Szynowych (SPS). During the work, SPS reported mysterious software problems, which appeared to be stopping the trains from operating. 

According to Polish news publication Rynek Kolejowy, the issues with the four locomotives caused a “serious problem” for the rail operator and passengers. 

But the central issue is potentially much larger and more serious for the rail industry than delays, however annoying for passengers. 

Train hack allegations swirl

According to the hacker group Dragon Sector, when SPS could not solve the issue – which they had identified as a software fault – an engineer found the computer cracking experts with a Google search. 

In an interview with digital technology publication 404 Media, Dragon Sector said they were able to diagnose and ‘repair’ the issue, which was a result of “arbitrary” locks put on the trains’ computer systems. 

The allegation from SPS and Dragon Sector is that Newag installed so-called “parts-pairing” code in its systems, which effectively ‘brick’ the trains if they are repaired or interfered with by third parties. This technique is widely used in the consumer tech sector, as iPhone users who have ever tried to have repairs done by unlicensed engineers will know. 

Dragon Sector alleged Newag installed geo-locating code that alerted the company when its trains entered mechanics yards that were not approved by the manufacturer, and ‘bricked’ the systems. 

But in a strongly-worded statement on its website, Newag denied this entirely, and said it was part of a negative marketing campaign by its “competitors”. 

“We have not, do not, and will not introduce into the software of our trains any solutions that lead to intentional failures. This is slander from our competition, which is conducting an illegal campaign of black PR against us,” the statement read. 

Newag instead alleges that LSR was attempting to avoid having to pay contractual penalties of as much as $500,000 for not completing the agreed routes and services. 

“In our opinion, the truth could be quite different – that, for example, it was the competition who interfered with the software,” said Newag president Zbigniew Konieczek. 

Real implications

The manufacturer said the rolling stock could now be dangerous to operate. 

“Hacking IT systems is a violation of many legal provisions and a threat to railway traffic safety,” Newag claimed. 

“We do not know who interfered with the train control software, using what methods and with what qualifications… We have notified the Railway Transport Office so that it can take a decision on withdrawing from traffic the sets subject to the actions of unknown hackers,” the company added.

In a lengthy response, Dragon Sector explained its actions and said it wanted to clarify the exact details of its work and so-called interference. 

The statement, in Polish, explained the “locking system” the hackers found, and that Dragon Sector is “100% confident in [its] analysis”.

“At the same time, we would like to correct frequent misunderstandings in the media: We did not interfere with the code of the controllers in Impulse – all vehicles still run on the original, unmodified software. It is not possible to update the software in Impulse remotely e.g. via the Global System for Mobile Communications (GSM) or the Internet.” 

These points are in direct response to Newag and seek to reassure LSR that the rolling stock is safe to operate. 

In a much shorter statement, SPS simply said its position was “consistent” with Dragon Sector’s statement. 

Next steps

While Newag said it would take SPS and Dragon Sector to court over the alleged hacking, it has not yet done so.

Dragon Sector meanwhile said it doubted the case would end up in court, telling 404: “NEWAG said that they will sue us, but we doubt they will – their defence line is really poor and they would have no chance defending it, they probably just want to sound scary in the media.” 

Newag did not immediately respond to a Railway Technology inquiry.