Cyber Incident Victim: Cybersecurity and Infrastructure Security Agency
Date:
Jan 2024
Location:
United States of America
Summary
The Cybersecurity and Infrastructure Security Agency experienced a cybersecurity breach targeting its Chemical Security Assessment Tool, where a malicious actor exploited an Ivanti device to install an advanced webshell, potentially accessing sensitive documents including facility security assessments, site plans, and personally identifiable information from the Chemical Facility Anti-Terrorism Standards program. Although no data exfiltration was detected, the incident's scope met federal major incident thresholds due to the volume of at-risk data. The agency isolated the system, conducted a forensic investigation, and confirmed that encrypted data and hidden keys limited unauthorized access. Identity protection services are being arranged for affected individuals vetted under the relevant security program.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 23, 2024, a malicious actor breached the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Chemical Security Assessment Tool (CSAT) by exploiting vulnerabilities in an Ivanti Connect Secure appliance. The intrusion persisted until January 26, during which the attacker installed an advanced webshell capable of executing malicious commands or writing files to the underlying system. Forensic analysis revealed the actor accessed this webshell multiple times over a two-day period, though investigators found no evidence of data exfiltration or lateral movement beyond the compromised Ivanti device. The CSAT environment contained sensitive Chemical Facility Anti-Terrorism Standards (CFATS) program documents, including Top-Screen surveys detailing facility names, addresses, and chemical inventories; Security Vulnerability Assessments (SVAs) analyzing physical and cybersecurity postures; Site Security Plans (SSPs) outlining risk mitigation measures; and Personnel Surety Program (PSP) submissions containing Personally Identifiable Information (PII) such as names, birthdates, citizenship status, and optional identifiers like passport numbers. CISA immediately isolated the affected system from its network, took CSAT offline, and initiated a forensic investigation involving technical teams from its Office of the Chief Information Officer, Cybersecurity Division Threat Hunting unit, and the Department of Homeland Security’s Network Operations Center.
The incident potentially exposed data from individuals and facilities participating in the CFATS program between December 2015 and July 2023, with particular focus on PSP-vetted personnel whose information lacked direct contact details for CISA notification due to statutory collection limitations. Despite AES 256 encryption protecting all CSAT data and hidden encryption keys preventing decryption during the breach, CISA classified the event as a major incident under the Federal Information Security Modernization Act (FISMA) based on the volume of potentially accessible records. The agency notified all CFATS participants of the risk, advised password resets for accounts sharing credentials with CSAT, and requested facilities voluntarily alert affected personnel or provide their contact information to [email protected]. CISA arranged identity protection services for impacted individuals and scheduled stakeholder webinars for June and July 2024 to address concerns, while establishing a dedicated call center to handle inquiries. The Department of Homeland Security’s risk assessment determined PSP participants faced the highest potential consequences due to the sensitivity of their exposed PII, though forensic evidence confirmed no actual data theft occurred during the limited system access period.