Chinese attackers exploited a known zero-day to gain access to the network of the US’s Metropolitan Transportation Authority (MTA). The attack took place in April. However, the cybercriminals did not gain access to the systems that control the transportation network.
The Metropolitan Transportation Authority is the largest transportation network in North America, serving more than 15.2 million people in New York City and the states of New York, Connecticut, and New Jersey. It operates various agencies and programs.
The MTA hired Mandiant, a cybersecurity firm, to investigate the incident. According to the firm, while the attackers were able to infiltrate some systems, they were not able to gain access to the information of the employees or the customers.
“The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cybersecurity firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems,” Rafail Portnoy, MTA’s Chief Technology Officer, said.
On April 21, the MTA quickly mitigated the Pulse Secure vulnerability – one day after Pulse Secure issued an advisory and the CISA issued an alert about the active attacks.
Besides the quick action from the MTA, the Authority’s multi-layered security systems were able to prevent the spread of the attack.
This was a third attack on the Metropolitan Transportation Authority’s network in recent years, officials told the NY Times.
While the attack is not attributed to any specific APT, as FireEye revealed on April 20, two Chinese-backed actors tracked as UNC2630 and UNC2717 were actively exploiting the zero-day flaw to launch multiple malware families.
According to FireEye, the espionage activities of two Chinese individuals known as UNC2630 and UNC2717 support key Chinese government goals.
“Espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities,” FireEye said in a report published last month.
Their malware works by stealing sensitive data from Pulse Secure VPN appliances. The exploit was used to gain unauthorized access to various networks of US and European organizations.
Pulse Secure issued security updates on May 3 to address the zero-day bug that affected its appliances. The company also released a tool that helps organizations identify if hackers modified their files.