Earlier today, officials at MTA, the subway system of New York that services over 15 million people, confirmed that the MTA suffered a targeted cyber attack in late April but succeeded in mitigating the impact of the attack and in keeping its operations running at full steam.
The cyber attack occurred soon after government agencies, such as CISA, NSA and FBI, issued a joint alert on April 20, warning organisations about a zero-day vulnerability that hackers could exploit to devastating effect. The following day, MTA applied recommended fixes and patches to three out of its eighteen systems, thereby keeping the impact limited to the three affected systems.
An immediate security audit conducted by cyber security firm FireEye and IBM revealed that even though the cyber attack did take place, it did not result in any data loss or the compromise of employee information or account credentials.
“The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems,” said Rafail Portnoy, the Chief Technology Officer of MTA, in a statement.
“Importantly, the MTA’s existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain vigilant as cyber-attacks are a growing global threat,” he added.
Even though the impact of the cyber attack was negligible, MTA did take some precautionary measures to mitigate its impact. After detecting the attack, the subway system immediately reset the passwords for 3,700 employees and switched from existing VPNs to new ones.
“An attack such as one like this can cause significant disruptions to the lives of millions of people who are trying to travel every day. Although the attackers did not manage to gain access to systems that control the transportation, vulnerabilities in the network means that attackers certainly had that opportunity. If they had gained access, then much of New York’s transportation would have come to a standstill and the consequences of this would have been disastrous,” said Brooks Wallace, VP EMEA at Deep Instinct.
“Nation states have formed small armies under strict discipline to focus on stealing money, government secrets and being disruptive. This attack could easily have been a way for the attackers to determine whether or not an isolated infrastructure could be breached and taken down, with plans for a more widespread cyber attack across the US in the future.
“The best protection against attacks such as this one is a multi-layered approach using a variety of solutions. A “prevention-first” mindset is also key – attacks need to execute and run before they are picked up and checked to see if they are malicious, sometimes taking as long as 60 seconds or more.
“When dealing with an unknown threat, 60 seconds is too long to wait for an analysis. Organisations need to invest in solutions that use technology such as deep learning which can deliver a sub-20 millisecond response time to stop an attack, pre-execution, before it can take hold,” Wallace added.