The threat actors could not cause any data loss or get access to systems controlling the transportation fleet.
Chinese threat actors breached New York City’s Metropolitan Transportation Authority (MTA) network in April using a Pulse Secure zero-day. But they could not cause any data loss or get access to systems controlling the transportation fleet.
Rafail Portnoy, MTA’s Chief Technology Officer, stated that while the attackers hacked into several MTA computer systems, they were unable to gain access to employee or customer information.
The MTA quickly responded to this attack, and employed Mandiant, a leading cyber security firm to perform forensic audits. The firm could not find any evidence of impact on operational systems, no employee or customer information breached, no data loss and no changes to the vital systems.
MTA is the largest North American transportation network serving more than 15.3 million people across a 5,000-square-mile travel area around New York City.
The transit authority operates multiple transportation agencies, including the MTA New York City Transit, MTA Bus, Long Island Rail Road, Metro-North Railroad, and MTA Bridges and Tunnels.
MTA mitigated the vulnerability on April 21, one day after Pulse Secure issued an advisory, and CISA published an alert on the Pulse Secure zero-day that was exploited in the attack.
Additionally, existing security systems also thwarted the attackers’ attempts to move through the network.
Portnoy added that the MTA’s existing multi-layered security systems worked as designed, preventing spread of the attack and they continue to strengthen those comprehensive systems and remain vigilant as cyber-attacks are a growing global threat.
According to MTA officials, the breach was the result of the third attack on the transportation authority’s network in recent years.
Cybersecurity firm FireEye revealed on April 20 that at least two Chinese-backed threat actors were actively exploiting a zero-day vulnerability to deploy 16 different malware families.The malware is custom-tailored for compromising Pulse Secure VPN appliances and used to maintain long-term access to networks, collect credentials, and steal data.