Computer in Russia breached Metro system amid security concerns, report says (2023)

The inspector general’s report surfaced deep-rooted problems that the watchdog’s officials say hinder security upgrades and leave the transit agency open to attacks that could threaten train safety. At risk is the nation’s third-largest transit system, responsible for transporting more than 600,000 people a day around the nation’s capital. As Metro increasingly relies on technology — launching a mobile fare card and app during the pandemic while aiming to switch to self-piloting trains this year — investigators said the need for strengthened cybersecurity protections will only rise.

The most recent episode unfolded after the inspector general’s office had warned Metro for months that investigators uncovered widespread and long-standing security issues, including years of missing computer security updates, interdepartmental disputes that hamstring Metro’s cybersecurity team, Russia-based contractors receiving high-level clearances and other security holes that required immediate attention.

Metro’s sluggish response prompted Inspector General Rene Febles in recent weeks to elevate the concerns to federal law enforcement, homeland security and transportation agencies while briefing multiple congressional committees, according to a person with knowledge of the briefings. Several lawmakers confirmed Wednesday that they had been briefed and said they were concerned about problems the inspector general had uncovered.

“These vulnerabilities, if left unaddressed and subsequently become exploited by a threat, could render [Metro] susceptible to unacceptable outcomes,” the report said.

Metro General Manager Randy Clarke acknowledged deficiencies the agency is remediating but said Metro reported the unauthorized login to the Cybersecurity and Infrastructure Security Agency (CISA), which he said “closed the case without comment.”

Transit officials say CISA, the nation’s preeminent cybersecurity authority, and Microsoft, whose products Metro relies on, did not alert Metro of major cybersecurity problems after reviews.

“Safety and security is our core value, and we will continue to prioritize improvements in this area,” Clarke said in a statement.

Metro said in a memo to the Transportation Security Administration that since Sept. 30, it has required employees of one contractor to work on agency projects from within the United States. The name of the company is redacted in the version of the memo Metro released, and the OIG would not disclose the company’s identity.

But in a briefing, Febles referred to EastBanc Technologies, a Washington-based firm with a history of contracts with Metro and government agencies, according to the office of Sen. Mark R. Warner (D- Va.), who is the chairman of the Senate Intelligence Committee.

“Sen. Warner will be keeping a close eye on [Metro’s] oversight of its contractors and its management of IT permissions,” Warner spokeswoman Valeria Rivadeneira said in a statement.

An EastBanc spokeswoman who wouldn’t provide her name said the company ended any relationship with Russia after sanctions were imposed last year following that country’s invasion of Ukraine. She said the company complied with Metro’s security requirements, including that employees be in the United States.

Efforts to reach the individual contract worker involved in the data breach were not successful. The memo to the TSA indicates that he was barred from working with Metro on Jan. 10.

Metro’s security and audit teams did not find indications that anything from the breached system was copied to a Russia-based computer, the report said.

In a response to the OIG that was included in the report, Metro’s chief information officer, Torri Martin, as well as its chief audit and risk officer, Elizabeth Sullivan, said Metro is reviewing recommendations from both the OIG and Microsoft.

“Where a new program or process may be needed, we will develop an actionable plan and milestones based on available resources and appropriate [corrective action plans],” Martin and Sullivan wrote.

Republican and Democratic staff on the Senate Banking Committee, which oversees transit, confirmed Wednesday that they had been briefed by the inspector general. Jessica Collins, a spokeswoman for the Republican-led House Oversight Committee, also said the committee had received a bipartisan briefing from the inspector general.

“We are alarmed by the Inspector General’s findings and will be further examining this issue to ensure any vulnerabilities in [Metro’s] cybersecurity operations are addressed in order to protect sensitive data and networks,” Collins said in a statement.

Sen. Tim Kaine (D-Va.) said the transit agency needs to “step it up” and move quickly to shore up its cybersecurity.

Congress and the federal government repeatedly cite Metro, including its 97 stations and miles of underground tunnels, as a national security priority. Congress has held hearings to review whether Metro was adequately protected from terrorist attacks, and lawmakers in 2019 passed a provision that banned the agency from hiring a rail car manufacturer in China, concerned they could be built with capabilities for the Chinese government to spy on Washington or to launch cyberattacks.

The inspector general’s office has raised concerns about Metro’s computer security in the past. In 2018, the OIG completed an audit that found the transit agency was vulnerable to attack, but it decided to keep the full findings secret so as not to reveal specific weaknesses. In 2020, another report highlighted opportunities for Metro to improve security. Those details also were kept secret.

The report released Wednesday said Metro didn’t act on more than 50 previous cybersecurity recommendations from oversight agencies dating back to 2019.

“During OIG’s investigation, evidence has surfaced that [Metro], at all levels, has failed to follow its own data handling policies and procedures as well as other policies and procedures establishing minimum levels of protection for handling and transmitting various types of data collected by [Metro],” the report said.

The audit also touched on train safety, which was not related to the OIG’s investigation into foreign-based contractors but deemed by investigators to be an urgent matter. The report indicated that some of Metro’s trains were found by an outside contractor in 2019 to have cybersecurity vulnerabilities. Metro hired a firm to probe the trains for vulnerabilities, and according to the report, “the security company determined that the risk to [Metro’s] train in its current configuration was ‘critical.’”

Those findings were not turned over to the inspector general’s office until this past February, the report said. The type of train with vulnerabilities is redacted, but the description of the testing matches an initiative Metro launched to test the security of its latest 7000-series cars.

In its response to the inspector general, Metro said the security testing firm was never able to access the trains’ automatic train controls. The agency said suppliers are working to fix the weaknesses but that those efforts had been slowed by the pandemic.

The Washington Metrorail Safety Commission, an independent regulatory agency Congress created to monitor Metrorail safety, said in a statement Wednesday that Metro has reduced cybersecurity risk on trains.

“We look forward to Metrorail ensuring that it implements remaining changes in a timely, coordinated fashion as part of its continuous improvement process,” the statement said.

The most recent intrusion investigation and subsequent report stems from a routine cybersecurity audit that began in January last year by the OIG, an independent agency that works to ferret out waste, theft, crimes or the misuse of agency property or power.

Weeks after starting the audit, OIG investigators paused it, shifting to determining the depth of issues and making recommendations Metro could use for urgent changes and upgrades. Among the issues were contractors working from Russia on Metro projects. The employees who worked for EastBanc were tasked with helping Metro to modernize its SmarTrip fare card service payment processing system and developing a more efficient method of refund processing, according to the company’s website. The company has contracted with Metro for over a decade.

Russia had a bustling IT outsourcing sector, but foreign technology companies were quick to pull out of the country after it invaded Ukraine.

Nitish Mittal, a partner at research firm Everest Group, said continuing to maintain ties with Russia presented reputational and security risks after the war began, noting that it was relatively easy for IT companies to leave. Mittal said companies are increasingly looking to ensure their outside technology teams are in friendly countries, a concept he referred to as “ally-shoring.”

“Going forward, we do see clients trying to future-proof how they source talent,” he said.

Federal cybersecurity officials said they have seen increased cyberattacks from Russia driven by either crippling economic sanctions imposed on the country or because of the material support that the United States and allies are providing Ukraine.

On May 9, CISA issued an alert warning businesses and agencies to protect against a sophisticated cyberespionage tool, or “snake,” designed by Russia’s Federal Security Service for long-term intelligence collection on targets such as government networks. The malware was detected in 50 countries, CISA said.

In response, Febles issued a rare alert about a week later to Metro’s then-interim general manager, Andy Off. The alert stressed the importance of expediting cybersecurity upgrades.

The OIG continued to investigate the contractors who had been working in Russia and subpoenaed background checks the transit agency requires that contractors conduct on their employees — a process investigators want Metro to review in light of the recent concerns, according to the report.

Those subpoenaed records showed that more than one-third of background checks used the same last four digits of a social security number, the report said. The EastBanc spokeswoman said the company accurately submitted Social Security and government records as requested. Metro pledged to resolve the vulnerabilities.

On Jan. 4, the transit agency’s cybersecurity staff received notice that a computer in Russia had accessed Metro’s system, which the report described as being a “sensitive” Metro directory. According to the inspector general’s report, the office’s investigation traced the breach to the home computer of an employee whose contract had expired.

OIG investigators determined that the man used his still-active log-in and password while remotely accessing his computer in Russia. Investigators found the worker’s initial story about the incident not to be truthful, the report said.

“Since the former contractor’s high-level administrative access had not been revoked, he was able to remotely access his personal computer in Russia to log into [Metro] systems containing critical and sensitive [Metro] data,” the OIG report said.

Investigators asked Metro’s IT manager, whose role includes terminating such log-ins and passwords, why the account was still active. They learned that an IT supervisor had allowed the former contractor to retain his high-level access while hoping the company would rehire him, according to the report.

In its memo to the TSA, Metro said the contractor’s access had been reenabled due to a “business process error.”

Metro said it reported the incident to the Department of Homeland Security’s cybersecurity office, which closed the report “without comment.” The DHS office referred questions back to Metro. The transit agency has also created a chief digital officer position reporting directly to Clarke.

The inspector general’s report said concerns about contractors’ links to Russia “still stand.”

“One of the OIG’s gravest concerns identified … was access to [Metro] data by foreign nationals who were supporting sensitive applications and systems from Russia,” the report said.