Attack alert: lockbit5 targets fepasa.com.ar - AR

Introduction

On December 5, 2025, FEPASA, an Argentinian railway operator employing over 1,000 people, was the victim of a cyberattack orchestrated by the lockbit5 group. This compromise, classified as SIGNAL level by our XC-Classify protocol, exposes a major player in the Argentinian rail transport sector, which manages critical infrastructure, train schedules, and sensitive logistics data. The incident illustrates the persistent vulnerability of the transportation sector to ransomware, particularly in Latin America, where railway infrastructure is a strategic target for cybercriminals. This attack comes amidst an escalating lockbit5 operation against transportation infrastructure, exploiting its reliance on digital systems and its low tolerance for operational disruptions.

lockbit5 is part of a group of ransomware groups that adopt the Ransomware-as-a-Service (RaaS) model, a criminal architecture where developers provide attack tools to affiliates in exchange for a percentage of the ransoms collected. Currently active, this cybercriminal collective is distinguished by its ability to target critical infrastructure sectors, particularly transportation, where operational disruptions generate maximum pressure for rapid payment. Lockbit5's typical modus operandi relies on a two-pronged extortion strategy: encrypting systems to paralyze operations, then threatening to release the exfiltrated data to force a settlement. The attackers generally exploit unpatched vulnerabilities in internet-exposed systems, poorly secured RDP access, or targeted phishing campaigns against employees. Once initial access is gained, the group deploys reconnaissance tools to map the network, escalate privileges, and identify the most critical digital assets before exfiltration and encryption. Their previous victims span various sectors, with a predilection for organizations with substantial revenues and low resilience to service disruptions.

Analyse détaillée

Founded in 1993, FEPASA (Ferrocarril General Manuel Belgrano S.A.) is a cornerstone of Argentine rail transport, managing both freight and passenger services across an extensive network. With over 1,000 employees, this state-owned company operates critical infrastructure, including railway lines, stations, and signaling systems, across several Argentine provinces. Its role in national logistics is strategic: FEPASA ensures the transport of agricultural, mining, and manufactured goods, while also connecting isolated rural areas to urban centers through passenger services. The nature of its operations involves managing highly sensitive data: real-time train schedules, cargo manifests (potentially including hazardous materials), railway infrastructure plans, contractual data with logistics partners, and passenger information. The compromise of such digital assets exposes FEPASA to multiple risks: operational paralysis if control systems are encrypted, exposure of trade secrets, breach of passengers' personal data, and potentially physical security risks if sensitive cargo information is leaked. In the Argentine context, where rail transport is undergoing gradual modernization after decades of underinvestment, FEPASA represents an attractive target for cybercriminals seeking to exploit recently deployed but potentially insufficiently secured digital systems.

The SIGNAL classification assigned by our XC-Classify protocol indicates early detection of the incident, prior to formal confirmation of the massive data exfiltration or ransom payment. This level suggests that lockbit5 publicly claimed responsibility for the attack against fepasa.com.ar, thus signaling its ability to compromise the railway operator's systems. Although the precise technical details of the intrusion are still being analyzed, lockbit5's typical modus operandi suggests several likely attack vectors: exploitation of vulnerabilities in FEPASA's exposed web interfaces, compromise of privileged accounts via targeted phishing against administrative staff, or abuse of unsecured RDP access to railway management systems. The timeline suggests rapid discovery on December 5, 2025, possibly following the publication of the attack on lockbit5's communication channels rather than internal detection. Immediate risks include the potential paralysis of railway planning and control systems, the exposure of sensitive contractual data with industrial clients, and the potential breach of passengers' personal information. For compromised digital assets, the consequences extend beyond FEPASA: logistics partners sharing data with the operator, railway infrastructure providers, and transport regulatory authorities could be indirectly exposed if shared information has been exfiltrated.

The transportation sector, particularly vulnerable to cyberattacks due to its reliance on industrial control systems and its low tolerance for disruptions, faces increasing regulatory risks both in Argentina and internationally. While Argentina does not yet have a strict equivalent to the European GDPR, Law 25.326 on the Protection of Personal Data imposes notification obligations in the event of a data breach affecting Argentine citizens. For a critical infrastructure operator like FEPASA, this attack could trigger reporting obligations to the Public Information Access Agency (AAIP) and potentially the Ministry of Transportation. In the Latin American context, ransomware incidents against rail transport often create a domino effect: logistics partners reassess their data-sharing protocols, regulatory authorities tighten their cybersecurity requirements, and competitors accelerate their defensive investments for fear of becoming the next target. Past incidents in the sector, particularly attacks against European and North American rail operators in recent years, have demonstrated that disruptions can last for weeks, affecting entire supply chains. For transportation companies in Argentina, this incident serves as a wake-up call: digital modernization without a parallel strengthening of cybersecurity creates systemic vulnerabilities that RaaS groups like lockbit5 methodically exploit.

Conclusion

This attack against FEPASA is certified via the XC-Audit protocol, guaranteeing immutable traceability on the Polygon blockchain. Unlike traditional, opaque, and modifiable centralized verification systems, our blockchain approach allows any interested party to independently verify the authenticity of the incident, the date of discovery, and the associated metadata. Every element of the analysis—from lockbit5's initial claim to the SIGNAL classification—is timestamped and anchored in a distributed ledger, eliminating any risk of retroactive manipulation. For companies in the transportation sector, this transparency offers a strategic advantage: the ability to corroborate emerging threats through verifiable sources rather than relying solely on proprietary alerts whose reliability remains unverifiable. Understanding the XC-Audit protocol and blockchain certification demonstrates how this trusted infrastructure transforms cyber threat intelligence, shifting from a reputation-based model to one based on cryptographic proof. The Polygon hashes associated with this incident constitute potential forensic evidence, usable in legal proceedings or cyber insurance claims, offering a level of certainty impossible with traditional, editable reports.