The MTA’s systems appear to have been hacked on two days during the second week of April, and access continued at least until the intrusion was identified on April 20, MTA documents show. . The hackers took advantage of a so-called “zero day,” or a previously unknown coding flaw in software that doesn’t have a patch.
Hackers gained specific access to systems used by New York City Transit – which monitors subways and buses – and also the Long Island Railroad and Metro-North Railroad, according to MTA documents outline the violation. The hackers breached three of the transportation agency’s 18 computer systems, transportation officials said.
However, Mr. Portnoy said, “no employee or customer information was breached, there was no data loss, and there were no changes to our critical systems.”
He added: “Our response to the attack, closely coordinated and managed with State and Federal agencies, demonstrated that while an attack on its own is unstoppable, blocked, but our cybersecurity defenses prevented it from spreading through MTA systems.
After extensive intrusions including MTA were identified in late April, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, the National Security Agency, and the FBI issued warnings about this hole.
The software company that owns Pulse Connect Secure, Ivanti, provided immediate steps to mitigate the damage and released a security update to fix the vulnerabilities. New York transit officials said they implemented the fixes within 24 hours of release.
After receiving a warning from security officials, the MTA quickly conducted a detailed forensic examination that discovered malware in the agency’s Pulse Connect Secure apps, transit officials said. said. This malware includes malware known as “web shells,” which, according to the MTA documentation, often provide hackers with a backdoor to remote access – and in some cases control – a certain number of servers over an extended period of time.