The Cybersecurity and Infrastructure Security Agency notified lawmakers on Friday that the recent breach of its chemical plant security tool, linked to flawed Ivanti products, potentially affected more than 100,000 individuals, triggering disclosure to Congress under a federal cybersecurity law.
The scale of the breach categorizes it as a “major incident” under the Federal Information Security Management Act’s threshold. Hackers breached the Chemical Security Assessment Tool (CSAT) and another CISA system, CISA Gateway, used for securing critical infrastructure. The agency is now starting to inform affected individuals and companies.
An official from CISA stated that there is no evidence of data theft following the exploitation of vulnerabilities in Ivanti products. Despite the breach prompting CISA to take systems offline, it had no operational impact.
“We thoroughly investigated to check for any data extraction, which was a primary concern and one of the reasons for the delay. Our transparency in sharing more details is a testament to our commitment,” said Brandon Wales, CISA’s executive director, to CyberScoop.
Following an internal investigation conducted by CISA’s chief information officer and threat hunting team, it was discovered that attackers deployed a webshell against the CSAT tool. The compromise of the gateway was limited in comparison, with no webshell deployment by hackers.
The breach at CISA, reported earlier this month, dates back to January when the Ivanti vulnerability was disclosed. CISA issued an alert about this vulnerability that the hackers exploited to gain access to CISA’s systems.
CISA implemented vendor-recommended patches on January 11 and performed daily checks using an Ivanti tool to detect compromises. On January 26, the compromise of the CSAT application was detected. The hackers had access to the device for two days before being discovered.
Although the hackers bypassed Ivanti mitigations and integrity checks, CISA is keeping CSAT offline for system improvements and pending reauthorization of the chemical plant security law.
CISA briefed congressional committees in response to the federal cybersecurity law requirements. While the perpetrators behind the exploit remain unidentified by the government, cybersecurity firms have attributed the breach to China-linked hackers.
Despite the breach, CISA sees it as a learning opportunity. The agency had a robust incident response plan, acted swiftly, and prioritized information sharing with industry partners. Improvements are being made based on the incident’s findings to enhance the security of CISA’s systems.
Written by Tim Starks
Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO, and Congressional Quarterly. A native of Evansville, Ind., he has been covering cybersecurity since 2003.