CISA reports a breach of their Chemical Security Assessment Tool exposing over 100K people

The Cybersecurity and Infrastructure Security Agency (CISA) has reported a compromise of its Chemical Security Assessment Tool (CSAT). The CSAT tool is part of the Chemical Facility Anti-Terrorism Standards program, aimed at screening individuals with access to high-risk chemicals.

The cyberattack was enabled through exploiting vulnerabilities in an Ivanti appliance and has potentially affected over 100,000 individuals.

Update - “We have found no evidence of data exfiltration from either system at this time, and there is no ongoing operational impact,” the CISA spokesperson said. “As soon as indications of potential compromise were detected, the agency took proactive measures to isolate the systems, taking them offline and accelerating the decommission of the Ivanti devices.”

As of 20th of June 2024, CISA is reporting that the breach may have exposed data individuals whose personally identifiable information (PII) or Chemical-terrorism Vulnerability Information (CVI) were stored in the CSAT system. Potentially compromised PII includes:

• names,
• aliases,
• places of birth,
• citizenship,
• redress numbers,
• Global Entry IDs,

Compromised corporate account information may include business names, titles, addresses, and phone numbers.

As of 25th of June 2024, CISA reported that hackers potentially accessed security vulnerability assessments of critical US chemical facilities, as directly stated: "may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts”.

An internal investigation, led by CISA’s Chief Information Officer and threat hunting team, concluded that the attackers were able to deploy a webshell against CSAT, leading to a loss of control. Despite these breaches, which date back to January, there has been no evidence of data exfiltration.

In response to the breach, CISA has initiated several measures including informing the affected individuals and companies, and planning additional technological upgrades to CSAT before it is brought back online.

CISA took measures by implementing vendor-recommended fixes as soon as they were available and conducting daily checks for device compromises. Nonetheless, the attackers were able to circumvent these defenses.