The Metropolitan Transportation Authority (MTA) disclosed that the New York subway system was attacked by hackers associated with the Chinese government. The Chinese hackers are believed to be part of threat actors involved in a global cyber espionage campaign against government agencies, critical infrastructure entities, and private organizations.
Chinese hackers used Pulse Connect Secure VPN to breach the New York subway system
The Chinese hackers exploited Pulse Connect Secure VPN zero-day vulnerabilities whose patches were yet to be released.
The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had issued a joint alert on hackers targeting organizations via VPN vulnerabilities.
The joint alert recommended various mitigations to block Chinese hackers from exploiting Pulse Connect Secure VPN vulnerabilities. A day later on April 21, The MTA applied those mitigations.
Additionally, CISA had said it assisted several federal agencies, critical infrastructure entities, and private organizations breached since March 31 via Invanti’s Pulse Connect Secure. Transit officials believe the exploit was part of the wider breach identified by CISA.
Chinese hackers breached the New York subway twice in the second week of April before they were discovered on April 20.
The New York subway reported the attack to the federal authorities without publicly acknowledging the breach until the New York Times reported.
Investigation into the New York subway breach
The transit agency involved FireEye’s Mandiant division and IBM to conduct a forensic audit. The investigation revealed that hackers accessed three out of 18 computer systems.
Investigation on the New York subway data breach found that the attack did not affect operational systems and “no employee or customer information breached, no data loss and no changes to our vital systems.”
“Importantly, the MTA’s existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain…