A cyberattack targeting the Cybersecurity and Infrastructure Security Agency in late January impacted a pair of the agency’s systems, a CISA spokesperson said Monday.

A thus far unnamed threat actor gained access to the CISA Gateway, an integrated collection of vulnerability assessments and tools for critical infrastructure organizations, and the Chemical Security Assessment Tool, a repository of chemical plant security plans. CISA discovered the intrusion, which was linked to widely exploited vulnerabilities in Ivanti remote access VPNs, on Jan. 26.

One of the breaches may have compromised more than 100,000 people.

CyberScoop first reported details of CISA’s investigation into the incident Friday after CISA disclosed the incident to multiple requisite congressional panels and committees earlier that day.

“We have found no evidence of data exfiltration from either system at this time, and there is no ongoing operational impact,” the CISA spokesperson said. “As soon as indications of potential compromise were detected, the agency took proactive measures to isolate the systems, taking them offline and accelerating the decommission of the Ivanti devices.”

The CSAT remains offline but the CISA Gateway is currently operational and available to critical infrastructure partners, the spokesperson said.

“Despite no evidence of data exfiltration, the number of potential individuals and the nature of the data that could have been exposed in the CSAT system met the threshold of a major incident under the Federal Information Security Management Act,” the spokesperson said.

What's going on with Ivanti?

Threat actors started widely exploiting a pair of zero-day vulnerabilities in Ivanti Connect Secure and other remote access VPNs in early December.

CISA said it applied Ivanti’s recommended mitigation measures on Jan. 11 and used Ivanti’s integrity checker tool daily to hunt for potential compromises. The threat actor circumvented the mitigations and Ivanti’s integrity checker tool, the CISA spokesperson confirmed.

By that time, the attackers had already been observed modifying legitimate ICS components and other systems to evade Ivanti’s integrity checker tool, according to researchers at Volexity. 

A spokesperson for Ivanti said the company cannot discuss specific customers and pointed to previous updates, including revised mitigation measures, patches and an updated external integrity checker tool the company released in late January.

“As Ivanti has made clear to customers, the [integrity checker tool] is not intended to be a magic bullet – it is one important and informative security tool in their arsenal, as a complement to other tools,” the Ivanti spokesperson said. “We will continue to enhance the ICT to detect known threats based on what we and our partners have seen in the wild.”

After weeks of widespread exploitation activity, Ivanti released a security patch on Jan. 31 for the zero-day vulnerabilities, CVE-2023-46805, an authentication-bypass vulnerability, and CVE-2024-21887, a command injection vulnerability.

Federal and international cyber authorities issued a global alert in late February warning that critical vulnerabilities in Ivanti Connect Secure and Policy Secure were still under active exploitation.

“This is a reminder that any organization can be affected by a cyber vulnerability. The important thing is what happens next,” the CISA spokesperson said. “We are working to notify all potentially impacted individuals and organizations, and we strongly urge all organizations to review our latest Ivanti advisory and take the steps outlined to protect their systems.”