Giant Computer Breach Hits D.C. Metro

In a new report released this week, the Office of the Inspector General of the Washington, D.C., Metro system said that a Russian-based computer breached the system earlier in 2023.

The report, which was partially redacted, was first reported on by The Washington Post. It said that a cybersecurity group working for the Washington Metropolitan Area Transit Authority in January detected “abnormal network activity originating in Russia.”

The initial findings from the group indicated that a computer that was based in Russia was able to access “a sensitive WMATA directory” that contained credentials for a contractor that was no longer working for the Metro. WMATA still maintained the contractor’s high-level access to the system, though, hoping that they would be able to renew the contract in the future.

The OIG’s investigation revealed that “the computer in Russia was turned on at the direction of the former contractor who remotely accessed his computer in Russia.”

Back in 2019, OIG said it raised concerns to WMATA regarding “possible cybersecurity vulnerabilities” in its system. It said that various testing and assessments for vulnerabilities of the components of its system weren’t being carried out.

WMATA contracted a company that specializes in security, which was able to produce for them a report of findings. A copy of that report was sent to the OIG in February, even though they had made earlier requests for it.

According to the OIG document:

“Given the current threat environment, the report stated that it can be assumed vulnerabilities currently do or will exist within WMATA’s systems. These vulnerabilities, if left unaddressed and subsequently become exploited by a threat, could render WMATA susceptible to unacceptable outcomes.”

The Metro quickly fired back in response to the report, trying to defend the actions it has taken since the organization was originally warned by the OIG’s office back in 2019. 

A written response was provided by the chief information officer for the Metro, Torri Martin, as well as its chief audit and risk officer, Elizabeth Sullivan. In it, they wrote:

“[We] respectfully note that the Report fails to recognize that the IT department has made measurable improvements in its cybersecurity program as demonstrated by successfully closing 142 out of 168 OIG corrective action plans … since 2019.”

The Microsoft Detection and Response team, which conducted an investigation of the activity out of Russia, didn’t find that the content that was accessed by the breached computer earlier this year was ever saved to the Russian device, they said. They also added that there were “no indications of persistence or ongoing malicious activity” noted by Microsoft’s investigative team.

Sullivan and Martin added that the Metro’s IT department is reviewing both the recommendations and assessments that were made and conducted by Microsoft and OIG.

They wrote:

“Where a new program or process may be needed, we will develop an actionable plan and milestones based on available resources and appropriate [corrective action plans].”