A former WMATA contractor using a personal computer in
Russia breached Metro’s computer system earlier this year, according to a
report from WMATA’s Office of the Inspector General, revealing “grave
concerns” for the system’s cyber vulnerabilities.
The investigation by Metro OIG Rene Febles into the hacking
revealed several weaknesses in WMATA operations regarding data protection
and cybersecurity, and a failure by the agency to address its
vulnerabilities.
“Evidence has surfaced that WMATA, at all levels, has failed
to follow its own data handling policies and procedures as well as other
policies and procedures establishing minimum levels of protection for
handling and transmitting various types of data collected by WMATA,” reads
the OIG report, made public Wednesday.
The OIG’s report is not the first to warn the agency of
cyberattacks from outside the U.S., nor is the OIG the first body to raise
concerns about the local agency’s business dealings with other countries.
In 2020, Congress passed legislation that banned transit agencies from
purchasing trains made by China’s state-owned rail-car manufacturer, and
the federal government has warned of potential risks for cyberattacks from
Russia as the war in Ukraine has continued on.
The investigation began in January 2023, after WMATA’s cyber
security department flagged abnormal network activity originating in
Russia. WMATA’s probe linked the unusual activity to a former contractor
whose contract had expired, and who no longer worked for the agency.
(According to the OIG’s report, the former contractor’s supervisor had allowed
him to maintain high-level administrative access to WMATA systems, hoping
his contract would be renewed.) WMATA concluded the ex-contractor had
accessed his personal computer in Russia remotely, and used the computer to
log into WMATA systems containing “critical and sensitive” data. He was
originally hired to work on Metro networks like the SmarTrip app that
riders use to pay fares at Metrorail stops.
WMATA then hired a Microsoft team to further investigate the
breach. According to a memo from WMATA’s Chief Information Officer Torri T.
Martin and Chief Audit and Risk Officer in February, their investigation
found that no data was copied from Metro’s system to the laptop in Russia
during the breach, and no malicious activity continued.
But the OIG’s report states that the breach is the result of
deep-rooted security issues within WMATA; issues that the agency has been
aware of for years, and has not successfully remedied.
In 2019, the OIG raised concerns surrounding the
cybersecurity of a certain train (the full name is redacted in the OIG’s
report), and as a result, WMATA brought in a security company to test its
network’s vulnerabilities. The test identified a number of problems,
characterizing risks to the Metro system as “critical.” It wasn’t until
February 2023 that Metro provided the OIG with a written report of this
company’s findings, according to the OIG, despite multiple requests.
Meanwhile, two OIG recommendations about cybersecurity relating to this
same train type are still open, after WMATA asked for extensions.
Additionally, in 2022 the OIG initiated a routine audit of
WMATA’s cybersecurity program, but paused it after uncovering issues.
Former Acting General Manager and CEO Andy Off was made aware of the
concerns in May 2022 in a management alert, but as of the OIG’s most recent
report, the concerns still stand.
“One of OIG’s gravest concerns identified in the [management
alert] was access to WMATA by foreign nationals who were supporting
sensitive applications and systems from Russia,” the report reads.
Between OIG recommendations and those from outside audits,
WMATA has failed to implement at least 51 cybersecurity recommendations
over the past four years.
Some of the outlined steps towards improvement included in
the OIG report — and made to WMATA over the years — include installing full
disk encryption on laptops in case a computer is stolen or lost, and
banning employees from using personal devices to access WMATA networks.
WMATA currently does not how many contractors or employees use or have used
a personal computer for WMATA business, according to the report. After the
breach in January, the OIG had asked the agency to compile a list of all
WMATA contractors not located in the U.S., and was told WMATA did not
maintain this information.
The OIG’s report includes a list of 14 actions WMATA should
take, including immediately addressing the concerns from the May 2022
audit, providing OIG with a list of all devices that have connected to
WMATA systems in the past 30 days, and reviewing its security clearance
process for outside contractors.
Coincidentally, also on Wednesday, the U.S. Attorney for
D.C. announced charges against a Russian national for hacking the
Metropolitan Police Department in 2021. Mikhail Pavlovich Matveev,
allegedly hacked MPD’s network, intentionally infected it with ransomware,
and threatened to disclose sensitive data unless a payment was made.
Content retrieved on 17 May 2023 from https://dcist.com/story/23/05/17/metro-breach-linked-russian-computer/
|
No comments:
Post a Comment