New York subway system was targeted by Chinese-linked hackers in April

New York’s subway system was targeted by hackers with links to the Chinese government in April, according to a Metropolitan Transportation Authority (MTA) document reported on by The New York Times.

Officials with the MTA said that on April 20, the FBI, Cybersecurity Infrastructure Agency (CISA) and the National Security Agency issued a joint alert that there was a zero-day vulnerability — meaning a vulnerability no one was aware of and for which there were no patches.

CISA issued recommendations for fixes and patches, which the MTA implemented by the morning of April 21. The MTA further said it engaged with IBM and Mandiant to perform a forensic audit.

Only three of the MTA’s 18 systems were impacted. No employee information was breached, and there is no impact to customers or contractors.

Rafail Portnoy, the MTA’s chief technology officer, said in a statement to The Hill that the agency “quickly and aggressively responded to this attack bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems.” 

“Importantly, the MTA’s existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain vigilant as cyber-attacks are a growing global threat,” Portnoy continued.

MTA officials told The Hill that the hack was part of a larger breach on multiple organizations and federal agencies that CISA first reported on April 20.

Hackers breached multiple agencies by exploiting vulnerabilities in products from IT company Invanti’s Pulse Connect Secure.

CISA said at the time that it had been assisting compromised organizations since March 31. The hack itself was believed to have begun in June 2020 or earlier.

But The New York Times first reported on Wednesday that the MTA was affected by the breach, marking the third time the MTA had been breached.

According to the newspaper, the campaign involved two groups of hackers believed to be linked to China, one of which was likely operating on behalf of the Chinese government.

News of the breach comes amid several high-profile cyberattacks on federal agencies and private businesses.

Meat producing group JBS USA was forced to shut down operations after being targeted. The FBI has identified Russian-linked groups REvil and Sodinokibi as behind that hack.

Colonial Pipeline was forced to halt 5,500 miles of pipeline last month after being targeted by criminal ransomware gang DarkSide.