DC Metro Hack Linked to Former Employee in Russia

A former WMATA contractor using a personal computer in Russia breached Metro’s computer system earlier this year, according to a report from WMATA’s Office of the Inspector General, revealing “grave concerns” for the system’s cyber vulnerabilities.

The investigation by Metro OIG Rene Febles into the hacking revealed several weaknesses in WMATA operations regarding data protection and cybersecurity, and a failure by the agency to address its vulnerabilities.

“Evidence has surfaced that WMATA, at all levels, has failed to follow its own data handling policies and procedures as well as other policies and procedures establishing minimum levels of protection for handling and transmitting various types of data collected by WMATA,” reads the OIG report, made public Wednesday.

The OIG’s report is not the first to warn the agency of cyberattacks from outside the U.S., nor is the OIG the first body to raise concerns about the local agency’s business dealings with other countries. In 2020, Congress passed legislation that banned transit agencies from purchasing trains made by China’s state-owned rail-car manufacturer, and the federal government has warned of potential risks for cyberattacks from Russia as the war in Ukraine has continued on.

The investigation began in January 2023, after WMATA’s cyber security department flagged abnormal network activity originating in Russia. WMATA’s probe linked the unusual activity to a former contractor whose contract had expired, and who no longer worked for the agency. (According to the OIG’s report, the former contractor’s supervisor had allowed him to maintain high-level administrative access to WMATA systems, hoping his contract would be renewed.) WMATA concluded the ex-contractor had accessed his personal computer in Russia remotely, and used the computer to log into WMATA systems containing “critical and sensitive” data. He was originally hired to work on Metro networks like the SmarTrip app that riders use to pay fares at Metrorail stops.

WMATA then hired a Microsoft team to further investigate the breach. According to a memo from WMATA’s Chief Information Officer Torri T. Martin and Chief Audit and Risk Officer in February, their investigation found that no data was copied from Metro’s system to the laptop in Russia during the breach, and no malicious activity continued.

But the OIG’s report states that the breach is the result of deep-rooted security issues within WMATA; issues that the agency has been aware of for years, and has not successfully remedied.

In 2019, the OIG raised concerns surrounding the cybersecurity of a certain train (the full name is redacted in the OIG’s report), and as a result, WMATA brought in a security company to test its network’s vulnerabilities. The test identified a number of problems, characterizing risks to the Metro system as “critical.” It wasn’t until February 2023 that Metro provided the OIG with a written report of this company’s findings, according to the OIG, despite multiple requests. Meanwhile, two OIG recommendations about cybersecurity relating to this same train type are still open, after WMATA asked for extensions.

Additionally, in 2022 the OIG initiated a routine audit of WMATA’s cybersecurity program, but paused it after uncovering issues. Former Acting General Manager and CEO Andy Off was made aware of the concerns in May 2022 in a management alert, but as of the OIG’s most recent report, the concerns still stand.

“One of OIG’s gravest concerns identified in the [management alert] was access to WMATA by foreign nationals who were supporting sensitive applications and systems from Russia,” the report reads.

Between OIG recommendations and those from outside audits, WMATA has failed to implement at least 51 cybersecurity recommendations over the past four years.

Some of the outlined steps towards improvement included in the OIG report — and made to WMATA over the years — include installing full disk encryption on laptops in case a computer is stolen or lost, and banning employees from using personal devices to access WMATA networks. WMATA currently does not how many contractors or employees use or have used a personal computer for WMATA business, according to the report. After the breach in January, the OIG had asked the agency to compile a list of all WMATA contractors not located in the U.S., and was told WMATA did not maintain this information.

The OIG’s report includes a list of 14 actions WMATA should take, including immediately addressing the concerns from the May 2022 audit, providing OIG with a list of all devices that have connected to WMATA systems in the past 30 days, and reviewing its security clearance process for outside contractors.

Coincidentally, also on Wednesday, the U.S. Attorney for D.C. announced charges against a Russian national for hacking the Metropolitan Police Department in 2021. Mikhail Pavlovich Matveev, allegedly hacked MPD’s network, intentionally infected it with ransomware, and threatened to disclose sensitive data unless a payment was made.

Content retrieved on 17 May 2023 from https://dcist.com/story/23/05/17/metro-breach-linked-russian-computer/