Dive Brief:
- The Cybersecurity and Infrastructure Security Agency can’t rule out chemical facilities’ data was stolen during a January attack targeting the agency’s systems, CISA said in a Monday notification. The agency has notified organizations representing more than 100,000 people of potential exposure.
- An unidentified threat actor intruded and had access to CISA’s Chemical Security Assessment Tool Jan. 23-26, but the agency said it found no evidence of data theft or lateral movement.
- “While CISA’s investigation found no evidence of exfiltration of data, the compromise may have resulted in the potential unauthorized access of top-screen surveys, security vulnerability assessments, site security plans, personnel surety program submissions, and CSAT user accounts,” an agency spokesperson said via email.
Dive Insight:
The intrusion was linked to widely exploited zero-day vulnerabilities in Ivanti remote access VPNs, which CISA used at the time of the attack. Attackers started exploiting the vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in early December and Ivanti released a security patch for the CVEs on Jan. 31.
For CISA, the fix was too late. The agency’s scanning systems identified malicious activity on Jan. 26, and later during its investigation CISA determined an advanced webshell was installed on CISA’s exploited CSAT Ivanti Connect Secure device on Jan. 23.
“This type of webshell can be used to execute malicious commands or write files to the underlying system,” CISA said Monday in the notification. “Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period.”
CISA, which is no longer using the affected Ivanti products, declined to say what actions the attacker took when they accessed the webshell.
The agency maintained several layers of defense and separation between the exploited Ivanti device and potentially sensitive data, but it cannot rule out unauthorized access was achieved, Kelly Murray, associate director at CISA, said Monday during a webinar on the incident.
The notifications, which CISA sent to all potentially impacted organizations, were required because the breach met the threshold of a major incident involving unauthorized access to personally identifiable information of at least 100,000 people under the Federal Information Security Management Act of 2002.
“When the data is at risk and we can’t rule out that access was granted, we’re required to do these notifications,” Murray said.
CISA blocked industry access to the CSAT system in July when Congress declined to reauthorize the Chemical Facility Anti-Terrorism Standards program. The system was completely taken offline when the agency discovered the intrusion in January and will remain offline until the program is reauthorized.