In late April, officials with the New York City Metropolitan Transportation Authority discovered that someone had penetrated several of the agency’s computer systems, exploiting a zero day vulnerability in the network’s VPN service as a way to get its foot in the door.
The transportation agency, which is responsible for operating a transit system whose daily ridership tops 5 million, discovered the intrusion attempt shortly after an announcement from federal authorities about a foreign hacking campaign targeted at Pulse Connect Secure, a VPN product. At the time, Pulse was widely used by state, local and federal government agencies.
The widespread hacking campaign is believed to have been at least partially the work of a sophisticated threat actor conducting espionage on behalf of China. While it’s unclear if that same actor attacked the MTA, the New York Times has reported that the hackers that targeted the transit agency are “believed to have links to the Chinese government.”
On Wednesday, MTA officials confirmed to Gizmodo that someone had exploited the Pulse security flaw to worm their way into MTA’s network, but that the hackers had apparently stopped short of stealing any data. In a statement, the agency said that three of its “systems” had been impacted by the attack, but did not elaborate on which systems they were or explain what that meant.
Separate forensic audits conducted by FireEye’s Mandiant and an IBM security team “found no evidence of account compromise, no employee information breached, no data loss or changes to our vital systems,” MTA officials said. No operational systems were affected by the attack either, they added.
In addition to post-incident audits, the Transportation Authority instituted several other security precautions — including “a forced migration off this VPN to other VPNs” and a requirement that some 3,700 employees and contractors change their passwords as an “extra layer of security,” officials said. In a statement provided to Gizmodo, Rafail Portnoy, the MTA’s Chief Technology Officer, reiterated that no data had been compromised as a result of the intrusion.
“The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems,” said Portnoy.
News of the attempted attack comes during a veritable cyberattack blitz throughout the U.S., with many attacks targeted at critical infrastructure. While the hackers in this case don’t appear to have gained access to anything of real importance, the fact that such a system could be compromised in the first place is disturbing on its face.
The New York Times reports that an MTA document shows officials have expressed concerns that the hackers “could have entered those [MTA] operational systems or that they could continue to penetrate the agency’s computer systems through a back door.” Yes, if the idea of a cyberattack paralyzing the R line somewhere between Court Street and South Ferry discomfits you, let’s just hope that public agencies like the MTA have a forward-looking plan for how to make sure scenarios like that never become a reality in the future.