2023 revelation of software sabotage
At the OhMyH@ck conference held in Warsaw on 5 December 2023, software engineers from white hat hacker group Dragon Sector revealed that they had reverse engineered the embedded software of Newag 45WE Impuls EMUs after operator Koleje Dolnośląskie had experienced a number of mysterious breakdowns when maintenance was performed by their selected contractor Serwis Pojazdów Szynowych (SPS).[9] In Newag's opinion, the issues were a result of malpractice by SPS and the trains should have instead been serviced by Newag.[10][11]
Analysis of the software revealed that the train's embedded computers were programmed to lock up and display bogus fault messages and prevent the train from running if a GPS tracker detected that it spent a certain number of days in an independent repair company’s maintenance center, and also if certain replacement parts had a serial number not approved by the manufacturer.[12][13]
In an investigation conducted with the help of the Polish Office of Rail Transport and CERT Polska, it was also discovered that the software locks could be bypassed by pressing a sequence of buttons in the cab of the train, although a later software update removed this ability.[14] The Dragon Sector group analysed 29 trains belonging to Koleje Dolnośląskie as well as other affected operators such as Koleje Mazowieckie, SKM Warszawa, WKD and Polregio, 24 of which had software locks which were unlocked by the group. After those findings were made public, former Minister of Digital Affairs Janusz Cieszyński confirmed the Polish government and Polish intelligence agencies had known about the findings since May.[15] It was also revealed that the Polish Internal Security Agency (ABW) had, in October 2022, submitted a case against Newag regarding the abovementioned software manipulation incidents to the prosecutor's office in Nowy Sącz, which initially downplayed the incident until said findings publicly came to light, after which, the investigation was taken over by the regional prosecutor's office in Kraków on suspicion of crimes committed under Article 269 §1 and Article 286 §1 of the Polish Penal Code.[16]
Newag strongly denied the claims they intentionally disabled their software and instead alleged SPS was propagating a conspiracy theory to avoid contractual penalties for being unable to service the trains. Newag also claimed there is no proof they are the author of the software or that the modifications had been introduced by them. Newag stated it would take legal action against SPS and the Dragon Sector group for slander and defamation.[17]
The Dragon Sector hacker group subsequently gave a presentation at the 37th Chaos Communication Congress (37C3) in Hamburg on 27 December 2023, where they explained in detail the process of debugging the train software and their findings.[18]
The Sejm's Parliamentary Committee for Combating Transport Exclusion subsequently convened three hearings regarding the abovementioned allegations on 17 January, 27 February and 26 March 2024, whose participants included representatives of the Dragon Sector team, Newag, railway operators and members of the Sejm.[19]
Newag has since filed a lawsuit for copyright infringement against Dragon Sector and SPS.[20] The first hearing was held by the District Court in Warsaw on 28 August 2024.[21]