CISA discloses breach of Chemical Security Assessment Tool

CISA publicly disclosed that its Chemical Security Assessment Tool suffered a breach in January during an attack that exploited Ivanti zero-day vulnerabilities.

CSAT is an online portal that offers surveys and applications to assess which participating chemical facilities are considered high risk under the U.S. government's Chemical Facility Anti-Terrorism Standards program. Assessments were once mandatory for chemical facilities covered by CFATS, but this requirement expired last July.

According to a notification letter authored by CISA Associate Director Kelly Murray and sent to stakeholders on June 20, an unnamed threat actor targeted the tool from Jan. 23-26. Although there was no evidence of data exfiltration, Murray said, the breach "may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts."

The Personnel Surety Program submissions, which exist to vet facility visitors seeking access to restricted areas or critical access, have a substantial amount of personally identifiable information attached to them in particular. PII that could have been accessed includes aliases, passport numbers, redress numbers, Global Entry ID numbers and more.

The breach occurred through CSAT's Ivanti Connect Secure appliance. Murray added that CSAT data used AES-256 encryption as well as additional security controls.

"During the investigation, we identified that a malicious actor installed an advanced webshell on the Ivanti device. This type of webshell can be used to execute malicious commands or write files to the underlying system," the notification letter read. "Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period. Importantly, our investigation has concluded and did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment."

Thursday's announcement follows a previous disclosure in March in which CISA said two of its systems were compromised via vulnerabilities in its Ivanti products. The vulnerabilities exploited were two zero-days Ivanti disclosed in January that were being used by Chinese nation-state actors. CVE-2023-46805 is an authentication bypass flaw in Ivanti Policy Secure, and CVE-2024-21887 is a command injection vulnerability in select versions of Ivanti Connect Secure. Security publication The Record first reported the CISA breach, including the targeting of CSAT, in March.

Prior to the March disclosure, CISA had revealed in February that it discovered issues with Ivanti's Integrity Checker Tool (ICT). The vendor has urged customers with vulnerable versions of Ivanti Policy Secure and Ivanti Connect Secure to run the ICT to determine if their products had been compromised. However, CISA said it conducted independent research in a lab that found "the Ivanti ICT is not sufficient to detect compromise."

In April, Mitre also disclosed a breach stemming from the exploitation of the two Ivanti zero-days by nation-state threat actors. The not-for-profit research and development firm, which manages the CVE system, said it first detected malicious activity in NERVE, its Networked Experimentation, Research and Virtualization Environment.

In the wake of the CSAT breach, CISA advised chemical facilities to "maintain cyber and physical security measures."

"While the investigation found no evidence of credentials being stolen, CISA encourages individuals who had CSAT accounts to reset passwords for any account, business or personal, which used the same password," CISA said. "This can help to prevent possible 'password spraying' attacks in the future."

Thursday's notification was the first official disclosure from CISA regarding the breach of CSAT, though agency officials had previously acknowledged the compromise in media reports since March. A CISA spokesperson shared the following statement with TechTarget Editorial:

CISA's Chemical Security Assessment Tool (CSAT) was the target of a cybersecurity intrusion by a malicious actor from January 23-26, 2024. While CISA's investigation found no evidence of exfiltration of data, this may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts. Following the conclusion of the investigation, under the reporting requirements of the Federal Information Security Modernization Act, CISA notified participants in the Chemical Facility Anti-Terrorism Standards program about the intrusion and the potentially impacted information.

TechTarget Editorial contacted Ivanti for additional comment, but the company has not responded at press time.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.