Russian computer breached DC Metro system: watchdog

A computer based in Russia was able to breach the Washington, D.C., Metro system earlier this year, Metro’s Office of the Inspector General (OIG) says in a new report.

The partially redacted report, released Wednesday and first reported by The Washington Post, says the Washington Metropolitan Area Transit Authority’s (WMATA) cyber security group detected “abnormal network activity originating in Russia” in January. 

Initial findings indicated that a computer in Russia had accessed “a sensitive WMATA directory” with the credentials of a contractor who no longer worked for Metro, but whose high-level access had been maintained in hopes that the contract would be renewed. The investigation found that “the computer in Russia was turned on at the direction of the former contractor who remotely accessed his computer in Russia.”

The OIG says it raised concerns about “possible cybersecurity vulnerabilities” to WMATA back in 2019, arguing that vulnerability assessments and testing of system components were not being conducted. WMATA then contracted a security company that produced a findings report, a copy of which the OIG says it only received in February, despite earlier requests. 

“Given the current threat environment, the report stated that it can be assumed vulnerabilities currently do or will exist within WMATA’s systems. These vulnerabilities, if left unaddressed and subsequently become exploited by a threat, could render WMATA susceptible to unacceptable outcomes,” the latest OIG document reads.

In a response included in the published report, Metro’s chief information officer Torri T. Martin and chief audit and risk officer Elizabeth Sullivan wrote to “respectfully note that the Report fails to recognize that the IT department has made measurable improvements in its cybersecurity program as demonstrated by successfully closing 142 out of 168 OIG corrective action plans … since 2019.”

An investigation of the Russian activity by the Microsoft Detection and Response team, they said, did not find that content accessed through the breached computer in January was synchronized onto the Russia device and “no indications of persistence or ongoing malicious activity” were noted.

The IT department is now reviewing the OIG and Microsoft assessments and recommendations, Martin and Sullivan said.

“Where a new program or process may be needed, we will develop an actionable plan and milestones based on available resources and appropriate [corrective action plans],” they wrote.