Subway train enters the station and the blurred silhouette of passenger showing Chinese hackers breach of New York subway

Chinese Hackers Breached the New York Subway Computers Through Pulse Connect Secure Vulnerabilities

The Metropolitan Transportation Authority (MTA) disclosed that the New York subway system was attacked by hackers associated with the Chinese government. The Chinese hackers are believed to be part of threat actors involved in a global cyber espionage campaign against government agencies, critical infrastructure entities, and private organizations.

Chinese hackers used Pulse Connect Secure VPN to breach the New York subway system

The Chinese hackers exploited Pulse Connect Secure VPN zero-day vulnerabilities whose patches were yet to be released.

The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had issued a joint alert on hackers targeting organizations via VPN vulnerabilities.

The joint alert recommended various mitigations to block Chinese hackers from exploiting Pulse Connect Secure VPN vulnerabilities. A day later on April 21, The MTA applied those mitigations.

Additionally, CISA had said it assisted several federal agencies, critical infrastructure entities, and private organizations breached since March 31 via Invanti’s Pulse Connect Secure. Transit officials believe the exploit was part of the wider breach identified by CISA.

Chinese hackers breached the New York subway twice in the second week of April before they were discovered on April 20.

The New York subway reported the attack to the federal authorities without publicly acknowledging the breach until the New York Times reported.

Investigation into the New York subway breach

The transit agency involved FireEye’s Mandiant division and IBM to conduct a forensic audit. The investigation revealed that hackers accessed three out of 18 computer systems.

Investigation on the New York subway data breach found that the attack did not affect operational systems and “no employee or customer information breached, no data loss and no changes to our vital systems.”

“Importantly, the MTA’s existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain vigilant as cyber-attacks are a growing global threat,” said MTA’s chief technology officer Rafail Portnoy.

The Chinese hackers also left web shells to maintain persistence on the New York subway computer systems. They also attempted to erase any evidence of compromise to evade detection.

However, MTA officials noted that the security of New York subway users was not at risk at any time during the breach.

The New York Subway directed its employees to change their passwords and migrated VPN users to other remote access products as a matter of precaution. The transport agency also applied certain patches and fixes to prevent the Chinese hackers from gaining access.

The Times reported that addressing the New York Subway breach cost the transport agency $370,000.

Increased cyber threats and ransomware attacks

Threat actors have stepped up attacks against government, critical infrastructure entities, and private organizations.

Last month, the DarkSide ransomware attack on Colonial Pipeline halted operations, causing fuel shortages in the US. Similarly, JBS USA, the largest meat producer in the country halted operations after attacks by the Russian REvil ransomware gang. Both companies resorted to paying the ransom worth $5 and $11 million to resume operations.

The FBI had advised organizations against paying the ransom, noting that doing so emboldens the ransomware operators thus increasing the number of attacks.

Additionally, only a few companies received their files back, while others experienced subsequent attacks after paying the ransom. Despite these facts, the two organizations openly paid a ransom setting a dangerous precedent for future victims.

Such organizations lose more money daily than paying the ransom, thus making extortion payment the cheaper option.

This situation has inspired some threat actors to demand DDoS ransom without carrying actual attacks. The attackers warned the victims that they risked losing more money if they followed through with their threats.

“The recent cyber intrusion at the New York Metropolitan Transportation Authority highlights the rising credit risk for U.S. infrastructure systems, as well as the importance of continued investment in cybersecurity,” says Baye Larsen, Analyst at Moody’s. “MTA has steadily increased its investment in cybersecurity over the past few years, leading to strong cyber practices that limited the impact of the breach.

“Without continued cybersecurity investments, MTA, like all US infrastructure, will be vulnerable to credit negative cyber-attacks that can disrupt operations, cash flow and public confidence.”