A computer based in Russia was able to breach the Washington, D.C., Metro system earlier this year, the Metro’s Office of the Inspector General (OIG) said in a new report.
The partially redacted report, released Wednesday and first reported by The Washington Post, said the Washington Metropolitan Area Transit Authority’s (WMATA) cybersecurity group detected “abnormal network activity originating in Russia” in January.
Initial findings indicated a computer in Russia accessed “a sensitive WMATA directory” with the credentials of a contractor who no longer worked for Metro, but whose high-level access had been maintained in hopes that the contract would be renewed. The investigation found “the computer in Russia was turned on at the direction of the former contractor who remotely accessed his computer in Russia.”
The OIG says it raised concerns about “possible cybersecurity vulnerabilities” to WMATA in 2019, arguing vulnerability assessments and testing of system components were not being conducted. WMATA then contracted a security company that produced a findings report, a copy of which the OIG says it received in February, despite earlier requests.
“Given the current threat environment, the report stated that it can be assumed vulnerabilities currently do or will exist within WMATA’s systems. These vulnerabilities, if left unaddressed and subsequently become exploited by a threat, could render WMATA susceptible to unacceptable outcomes,” the latest OIG document reads.
In a response included in the published report, Torri T. Martin, Metro’s chief information officer, and Elizabeth Sullivan, chief audit and risk officer, wrote to “respectfully note that the Report fails to recognize that the IT department has made measurable improvements in its cybersecurity program as demonstrated by successfully closing 142 out of 168 OIG corrective action plans … since 2019.”
An investigation of the Russian activity by the Microsoft Detection and Response team, they said, did not find that content accessed through the breached computer in January was synchronized onto the Russian device, and “no indications of persistence or ongoing malicious activity” were noted.
The IT department is now reviewing the OIG and Microsoft assessments and recommendations, Martin and Sullivan said.
“Where a new program or process may be needed, we will develop an actionable plan and milestones based on available resources and appropriate [corrective action plans],” they wrote.