Cyber Incident Victim: Chemical Security Assessment Tool

A malicious actor conducted a cybersecurity intrusion targeting the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Chemical Security Assessment Tool (CSAT) between January 23 and 26, 2024. The attacker exploited vulnerabilities in an Ivanti Connect Secure appliance, installing an advanced webshell capable of executing malicious commands or writing files to the underlying system. Forensic analysis revealed the actor accessed this webshell multiple times over a two-day period. Although CISA’s investigation found no evidence of data exfiltration or adversarial movement beyond the compromised Ivanti device, the intrusion potentially exposed sensitive documents within the CSAT environment. These included Top-Screen surveys detailing facility names, addresses, chemical inventories, and storage methods; Security Vulnerability Assessments (SVAs) outlining cyber and physical security features, asset locations, and chemical handling procedures; Site Security Plans (SSPs) describing risk mitigation measures and compliance with security standards; Personnel Surety Program (PSP) submissions containing Personally Identifiable Information (PII); and CSAT user accounts. The PSP data encompassed at minimum individuals’ names, dates of birth, and citizenship or gender, with facilities optionally submitting aliases, passport numbers, redress numbers, Global Entry IDs, or Transportation Worker Identification Credential (TWIC) IDs for personnel vetted between December 2015 and July 2023.

CISA immediately isolated the CSAT application from its network, took the system offline, and initiated a forensic investigation involving technical experts from its Office of the Chief Information Officer, Cybersecurity Division’s Threat Hunting team, and the Department of Homeland Security’s Network Operations Center. The agency determined all CSAT data remained encrypted using AES 256 encryption, with additional application-layer security controls restricting lateral access and encryption keys concealed from the threat actor’s access level. Despite no confirmed data theft, CISA classified the event as a major incident under the Federal Information Security Modernization Act (FISMA) due to the scale of potentially compromised records and proactively notified all Chemical Facility Anti-Terrorism Standards (CFATS) program participants. Since CISA lacked contact details for individuals vetted through the PSP, it requested facilities to voluntarily notify affected personnel or share their contact information for direct outreach by the agency. CISA advised CSAT account holders to reset passwords reused across other accounts as a precaution against credential-based attacks and began arranging identity protection services for individuals whose PSP data was submitted during the 2015-2023 period. The agency scheduled stakeholder webinars for June and July 2024 to address inquiries and established a dedicated email ([email protected]) for facilities and impacted individuals pending activation of a call center.