Computer in Russia breached Metro system, inspector general report says

A personal computer in Russia was used to breach Metro’s computer network earlier this year after the transit agency repeatedly was warned that cybersecurity deficiencies left its systems open to information theft and national security threats, according to a report released Wednesday.

The unauthorized January log-in into Metro’s cloud-based system from a computer belonging to a former I.T. contractor drew the attention of Metro’s Office of the Inspector General (OIG). The watchdog agency had warned Metro for months that investigators had uncovered widespread and long-standing security issues, including years of missing computer security updates, interdepartmental disputes that hamstring Metro’s cybersecurity team, Russia-based contractors receiving high-level clearances and other security holes that required immediate attention.

Metro’s sluggish response prompted Inspector General Rene Febles in recent weeks to elevate the concerns to federal law enforcement, homeland security and transportation agencies while briefing multiple congressional committees, according to a person with knowledge of the briefings.

The inspector general’s report surfaced deep-rooted problems that the watchdog’s officials say hinder security upgrades and leave the transit agency open to attacks that could threaten train safety. At risk is the nation’s third-largest transit system, responsible for transporting more than 600,000 people a day around the nation’s capital. As Metro increasingly relies on technology — launching a mobile fare card and app during the pandemic while aiming to switch to self-piloting trains this year — investigators said the need for strengthened cybersecurity protections will only rise.

“These vulnerabilities if left unaddressed and subsequently become exploited by a threat, could render [Metro] susceptible to unacceptable outcomes,” the report said.

Metro’s security and audit teams did not find indications that anything from the breached system was copied to a Russia-based computer, the report said.

In a response to the OIG that was included in the report, Metro chief information officer Torri T. Martin as well as chief audit and risk officer Elizabeth Sullivan said Metro brought in a Microsoft team to investigate the breach and make recommendations to improve security.

“Where a new program or process may be needed, we will develop an actionable plan and milestones based on available resources and appropriate [corrective action plans],” Martin and Sullivan wrote.

Congress and the federal government repeatedly cite Metro, including its 97 stations and miles of underground tunnels, as a national security priority. Congress has held hearings to review whether Metro was adequately protected from terrorist attacks, and lawmakers in 2019 passed a provision that banned the agency from hiring a rail car manufacturer in China, concerned they could be built with capabilities for the Chinese government to spy on Washington or to launch cyberattacks.

Congress restricts Metro from buying rail cars made by China-based manufacturer

The inspector general’s office has raised concerns about Metro’s computer security in the past. In 2018, the OIG completed an audit that found the transit agency was vulnerable to attack, but decided to keep the full findings secret so as not to reveal specific weaknesses. In 2020, another report also highlighted opportunities for Metro to improve security. Those details also were also kept secret.

The report released Wednesday says Metro didn’t act on more than 50 previous cybersecurity recommendations from oversight agencies dating to 2019.

“During OIG’s investigation, evidence has surfaced that [Metro], at all levels, has failed to follow its own data handling policies and procedures as well as other policies and procedures establishing minimum levels of protection for handling and transmitting various types of data collected by [Metro],” the report said.

The audit also indicated that some of Metro’s trains were found by an outside contractor in 2019 to have cybersecurity vulnerabilities. Metro hired a firm to probe the trains for vulnerabilities and, according to the report, “the security company determined that the risk to [Metro’s] train in its current configuration was ‘critical.’”

Those findings were not turned over to the inspector general’s office until February this year, the report said. The type of train with vulnerabilities is redacted, but the description of the testing matches an initiative Metro launched to test the security of its latest 7000-series cars.

In its response to the inspector general, Metro said the security testing firm was never able to access the trains’ automatic train controls. The agency said suppliers are working to fix the weaknesses, but that those efforts had been slowed by the pandemic.

Metro will return to automatic train system for first time in 14 years

The investigation and subsequent report stems from a routine cybersecurity audit that began in January last year by Metro’s OIG, an independent agency that works to ferret out waste, theft, crimes or the misuse of agency property or power.

Weeks after starting the audit, OIG investigators paused it, shifting to determining the depth of issues and making recommendations Metro could use for urgent changes and upgrades. Among the issues were contractors working from Russia on Metro projects. The employees worked for a U.S.-based company not named in the report that had a Metro contract to work on systems containing sensitive information, including the Metro SmarTrip mobile app passengers use to pay fares.

Russia had a bustling I.T. outsourcing sector, but foreign technology companies were quick to pull out of the country after it invaded Ukraine.

Nitish Mittal, a partner at research firm Everest Group, said continuing to maintain ties with Russia presented reputational and security risks after the war began, noting it was relatively easy for I.T. companies to leave. Mittal said companies are increasingly looking to ensure their outside technology teams are in friendly countries, a concept he referred to as “ally-shoring.”

“Going forward, we do see clients trying to future-proof how they source talent,” he said.

Federal cybersecurity officials said they have seen increased cyberattacks from Russia driven by either crippling economic sanctions imposed on the country or because of the material support the United States and allies are providing Ukraine.

On May 9, the Cybersecurity and Infrastructure Security Agency issued an alert warning businesses and agencies to protect against a sophisticated cyberespionage tool, or “snake,” designed by Russia’s Federal Security Service for long-term intelligence collection on targets such as government networks. The malware was detected in 50 countries, CISA said.

In response, Febles issued a rare alert about a week later to Metro’s then-interim general manager Andy Off. The alert stressed the importance of expediting cybersecurity upgrades.

Metro cybersecurity audit highlights growing concerns at agencies across the country

The OIG continued to investigate the contractors who had been working in Russia and subpoenaed background checks the transit agency requires that contractors conduct on their employees — a process investigators want Metro to review in light of the recent concerns, according to the report.

Those subpoenaed records showed more than one-third of background checks used the same last four digits of a social security number. Metro pledged to resolve the vulnerabilities.

In January, the transit agency’s cybersecurity staff received notice that a computer in Russia had accessed Metro’s system, which the report described as being a “sensitive” Metro directory. According to the report, the OIG investigation traced the breach from the home computer of an employee whose contract had expired. Investigators found the worker’s initial story about the incident not to be truthful, the report said.

OIG investigators determined the man used his still-active log-in and password while remotely accessing his computer in Russia.

“Since the former contractor’s high-level administrative access had not been revoked, he was able to remotely access his personal computer in Russia to log into [Metro] systems containing critical and sensitive [Metro] data,” the OIG report said.

Investigators asked Metro’s I.T. manager, whose role includes terminating such log-ins and passwords, why the account was still active. They learned an I.T. supervisor had allowed the former contractor to retain his high-level access while hoping the company would be rehired, according to the report.

The report does not say whether that occurred, but noted the OIG’s concerns about contractors’ links to Russia “still stand.”

“One of the OIG’s gravest concerns identified … was access to [Metro] data by foreign nationals who were supporting sensitive applications and systems from Russia,” the report said.

This is a developing story and will be updated.