Critical Infrastructure Security , Incident & Breach Response , Network Firewalls, Network Access Control
CISA Confirms Cyberattack on Critical Chemical Security Tool
US Cyber Defense Agency Says Major Cyberattack Result of Vulnerable Ivanti ProductsThe U.S. cyber defense agency confirmed Monday that one of its critical tools housing private sector chemical security plans was the target of a January cyberattack that "may have resulted in the potential unauthorized access" of sensitive data.
See Also: OnDemand | Hybrid Mesh Firewalls and Microsoft Azure, Extending Your Network Security to the Cloud
The Cybersecurity and Infrastructure Security Agency said it sent notifications Thursday to participants in the Chemical Facility Anti-Terrorism Standards program about the cybersecurity intrusion that affected the agency's Chemical Security Assessment Tool. The notifications said the agency "found no evidence of exfiltration of data" but warned the hackers may have accessed "top-screen surveys, security vulnerability assessments, site security plans, personnel surety program submissions and CSAT user accounts."
CFATS-regulated facilities are required to comply with facility personnel security measures that involve submitting personal identifiable information for vetting purposes, including name, passport number, place of birth and citizenship status. CISA urged facilities to reset passwords for individuals who had CSAT accounts to avoid possible password spraying attacks.
The agency also encouraged facilities that received the notification letters to notify individuals submitted by that facility for security vetting under the CFATS personnel survey program of the incident.
The intrusion was the result of vulnerabilities found in Ivanti VPN devices that allowed hackers to breach two gateways used by CISA, the agency told Information Security Media Group in March (see: Hackers Compromised Ivanti Devices Used by CISA). It was reported at the time that the affected systems connected to CSAT as well as the Infrastructure Protection Gateway, a portal containing data about security assessments for significant national critical infrastructure.
"CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses" in February, a spokesperson said at the time. "We continue to upgrade and modernize our systems, and there is no operational impact at this time."
CISA announced it was hosting multiple webinars for stakeholders to review the information provided in the Ivanti vulnerability notifications. The next webinar is scheduled for July 9.
Ivanti devices faced a flurry of attacks beginning in December by alleged Chinese nation-state hackers that stole account credentials stored inside Ivanti gateways. CISA gave federal agencies until February 2 to perform factory resets on all of the company's devices, though the agency later warned that hackers could preserve access to a compromised device even after a factory reset (see: Feds Face a Midnight Deadline for Resetting Ivanti Gateways). Ivanti disputed those claims.