NYC metro transport authority was breached by hackers believed linked to China: US document

The breach was the third - and most significant - cyberattack on the transit network. PHOTO: AFP

NEW YORK (NYTIMES) - A hacking group believed to have links to the Chinese government penetrated the Metropolitan Transportation Authority's computer systems in April, exposing vulnerabilities in a vast transportation network that carries millions of people every day, according to an MTA document that outlined the breach.

The hackers did not gain access to systems that control train cars, and rider safety was not at risk, transit officials said, adding that the intrusion appeared to have done little, if any, damage.

But a week after the agency learned of the attack, officials raised concerns that hackers could have entered those operational systems or that they could continue to penetrate the agency's computer systems through a back door, the document also shows.

Transit officials say a forensic analysis of the attack has not revealed evidence of either and that hackers did not compromise customers' personal information. The agency reported the attack to law enforcement and other state agencies but has not disclosed it publicly.

The breach was the third - and most significant - cyberattack on the transit network, North America's largest, by hackers thought to be connected to foreign governments in recent years, according to transit officials.

The MTA is one of a growing number of transit agencies across the country targeted by foreign hackers, and the breach comes during a surge in cyberattacks on critical US infrastructure, from fuel pipelines to water supply systems.

A ransomware attack last month on Colonial Pipeline, one of the nation's largest pipelines, led to a precautionary shutdown of a network stretching from Texas to New York that carries nearly half the gasoline, diesel and jet fuel for the East Coast. The shutdown caused panic-buying across the Southeast as drivers scrambled to fill their tanks.

In recent months, cyberattacks have also crippled police departments in the District of Columbia and elsewhere as well as hospitals treating coronavirus patients, in intrusions that involved criminal groups holding data hostage and seeking payments to unlock the data.

The attack on the MTA did not involve financial demands and instead appears to be part of a recent series of widespread intrusions by sophisticated hackers believed to be backed by the Chinese government, according to FireEye, a private cybersecurity firm that works with the federal government and helped identify the breach.

The broader hacking campaign compromised dozens of federal agencies, defense contractors and financial institutions, among other sectors, and was discovered in late April. The Chinese government routinely denies carrying out hacking operations.

It is unclear why the MTA was a target of the campaign, but investigators have several theories. One focuses on China's push to dominate the multibillion-dollar market for rail cars - an effort that could benefit from knowing more about the inner workings of a transit system that awards lucrative contracts.

In recent years, China has used cyberattacks as a way to advance its economy and become the dominant global superpower, according to the Justice Department.

Another more benign view is that hackers mistakenly entered the MTA's system and discovered it was of little interest, which cybersecurity experts say is not unusual.

In any event, the hackers did not make any changes to the agency's operations, collect any employee or customer information - like credit card numbers - or compromise any MTA accounts, transit officials said, citing a forensic audit of the attack commissioned by the agency and conducted by IBM and Mandiant, a leading cybersecurity firm.

"The MTA's existing multilayered security systems worked as designed, preventing spread of the attack," said Mr Rafail Portnoy, the MTA's chief technology officer. "We continue to strengthen these comprehensive systems and remain vigilant, as cyberattacks are a growing global threat."

A spokesperson for the Department of Homeland Security, which is investigating the breach, declined to comment.

The intrusion is the latest in an escalation of cyberattacks against US transit agencies, most of which are financially strapped and can usually only afford basic cybersecurity protections.

A study last year by the Mineta Transportation Institute, a research organisation, found that while more than 80 per cent of transportation agencies surveyed believed they were prepared to manage cybersecurity threats, only 60 per cent had a cybersecurity plan in place.

"A lot of transit agencies don't have chief security officers, much less cybersecurity officers," said Mr Scott Belcher, a consultant specialising in transportation technology who led the study.

None of the attacks posed a physical threat to riders or drastically disrupted train service. But they have impeded operations, threatened to drain millions of dollars in ransom demands and cost hundreds of thousands of dollars in forensic analyses after breaches were identified.

"Initially you might think the biggest risk is the stuff you see in movies, somebody taking over a bus remotely or taking over a train remotely and putting the passengers at risk," Mr Belcher said. But recovering from the attacks is expensive, he said, "which itself puts their ability to operate at risk."

The latest breach at the MTA - combined with the recent increase in cyberattacks on transit agencies - has raised questions about the transit agency's cyberdefences, according to a government official with knowledge of the cyberattack and the steps the MTA took to address it.

To gain access to the MTA and other systems, the hackers took advantage of vulnerabilities in Pulse Connect Secure, a widely used connectivity tool that offers workers remote access to their employers' networks. The cyberespionage campaign involved two groups of China-linked hackers, one of which was likely operating on behalf of the Chinese government, according to FireEye.

The MTA's systems appear to have been attacked on two days in the second week of April, and the access continued at least until the intrusion was identified April 20, the MTA document shows. The hackers took advantage of a so-called "zero day," or a previously unknown coding flaw in software for which a patch does not exist.

The software company that owns Pulse Connect Secure, Ivanti, provided immediate steps to mitigate the damage and released a security update to fix the vulnerabilities. New York transit officials say they implemented the fixes within 24 hours of their release.

After receiving the warning from security officials, the MTA quickly conducted the detailed forensics audit, which found malware in the authority's Pulse Connect Secure applications, transit officials said. The malware included malicious software known as "web shells," according to the MTA document, that typically provide hackers a backdoor to remotely access - and in some cases control - certain servers over a long period of time.

Although the hackers did not make any ransom demands, experts say it is possible that they benefited financially from the attack in other ways.

"There's a lot of avenues to monetise this access into this environment beyond the ransomware attack," said Mr Rob McLeod, senior director of the threat response unit at eSentire, a cybersecurity company. "Ongoing access can be interesting to many groups, even governments. Maybe there's a strategic advantage to understanding the operating model of a transit agency."

Join ST's Telegram channel and get the latest breaking news delivered to you.