CISA infrastructure tool targeted in January breach, agency says

JuSun/Getty Images

Sensitive information on the chemical security assessment platform was accessed, though it may not be up to date.

The Cybersecurity and Infrastructure Security Agency’s Chemical Security Assessment Tool was targeted by hackers between Jan. 23 and 26 this year, the agency said in a Friday blog post that confirmed reports from March.

The CSAT platform provides the private sector with chemical security information. The intrusion may have allowed the bad actors to access surveys, vulnerability assessments, site security plans and user accounts, though CISA did not find any evidence of that data being exfiltrated.

It’s unclear how up-to-date the accessed information was. The Chemical Facility Anti-Terrorism Standards program that underpins CSAT lapsed last July, meaning that CISA no longer requires facilities to regularly report key chemical or infrastructure information to the system.

Past iterations of sensitive information, like facilities’ cyber and physical security features and their chemicals of interest, may have been viewed in the infiltration, as that data is collected in the security assessments accessed by the hackers.

“During the investigation, we identified that a malicious actor installed an advanced webshell on the Ivanti device,” the agency said, referring to the Ivanti virtual private network products that were the subject of previous warnings.

“This type of webshell can be used to execute malicious commands or write files to the underlying system. Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period.” the post added. CISA shuttered the system as soon as the infiltration was detected.

In early February, CISA directed all federal agencies to disconnect their systems from Ivanti products within 24 hours amid concerns that hackers could leverage their vulnerabilities to make their way into government networks.

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience,” a CISA spokesperson told media outlets at the time of the reported CSAT intrusion in March.

CFATS was established in the wake of the Sept. 11 terrorist attacks as national security officials pushed for increased scrutiny over potential weaponization of the chemical sector, motivating lawmakers to include the program in the 2007 DHS appropriations bill.