Hands typing on keyboard showing data theft impacting chemical facilities

CISA Warns Chemical Facilities of Data Theft After Hacker Breached CSAT Security Tool via Ivanti

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned high-risk chemical facilities of potential data theft after a threat actor compromised the agency’s Chemical Security Assessment Tool (CSAT).

The tool was part of the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS) program, which expired in July 2023.

Over 300 facilities that store certain chemicals of interest (COI) beyond a certain threshold participated in the CFATS program and used the CSAT tool. If they fall into the wrong hands, the substances could be used to make weapons and explosives for terrorist attacks.

High-risk chemical facilities’ data compromised via Ivanti

CISA said the attacker gained access after exploiting a security vulnerability in Ivanti Connect Secure Appliance.

“On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance,” the agency said.

Although the agency did not mention the security vulnerability exploited, the attacker likely chained Ivanti security vulnerabilities CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 to bypass authentication and execute commands with admin privileges. Although CISA did not disclose the threat actor’s identity, Chinese nation-state actors have exploited the vulnerabilities since January.

After gaining access, the threat actor installed an advanced webshell on the affected Ivanti device, which could execute commands and write files to the underlying system.

They accessed the webshell numerous times over a two-day period between January 23 and Jan 26, 2024. However, CISA found no “adversarial access beyond the Ivanti device” nor data theft from the CSAT environment.

Nevertheless, the intrusion likely “resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts,” the agency warned.

Individuals participating in the Personnel Surety Program had submitted personally identifiable information (PII) for screening for potential terrorist ties.

“There is a clear and present danger of hybrid attacks against these facilities by groups like ISIS, Hamas and domestic extremists,” warned Tom Kellermann, SVP of Cyber Strategy at Contrast Security. “This attack underscores the need to stay vigilant as our enemies conduct reconnaissance during this era of extremism.”

US citizens submitted their names, dates of birth, citizenship, or gender. Non-citizens submitted additional details, including their passport numbers, TWIC ID Numbers, Global Entry ID Numbers, and other details.

Chemical facilities also submitted business contact information for creating a CVI Authorized User account between June 2007 and July 2023. Individuals with CSAT user accounts also submitted their names, titles, business addresses, and business phone numbers.

CISA’s assessment found that individuals vetted under the CFATS Personnel Surety Program between December 2015 and July 2023 faced the most significant risk of having their information compromised in the event of CSAT data theft.

While the agency notified impacted chemical facilities, it cannot directly contact individuals who submitted their personal information as part of the CFATS Personnel Surety Program because it did not store their contact information.

Subsequently, CISA requested participating chemical facilities to contact individuals who submitted their details under the CFATS Personnel Surety Program and notify them.

Additionally, the victims will benefit from identity protection services to protect their personal information from abuse. CISA will also establish a call center to support impacted individuals.

Assume data theft after the CSAT tool compromise

CISA says that all information in the CSAT tool was encrypted using AES 256 algorithm, and the keys were also inaccessible “from the type of access the threat actor had to the system.” The agency also found “no evidence of credentials being stolen.”

However, impacted organizations should assume data theft “out of abundance of caution” and assume that “that this information could have been inappropriately accessed,” the agency said.

The agency also stated that even without data theft, the intrusion “met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA),” given the number of individuals and chemical facilities impacted.

Subsequently, CISA directed impacted chemical facilities to maintain cyber and physical security measures to prevent potential attacks as a result of the cyber incident.

Similarly, CISA encourages individuals who had CSAT accounts to reset their passwords for all online accounts that share the same password to prevent future password spraying attacks.

While CISA ruled out data theft, exposing cyber and physical security plans could enable malicious actors to map impacted chemical facilities and identify vulnerabilities for future cyber and terrorist attacks.

“While CISA reports no evidence of data exfiltration, the potential exposure of sensitive information like chemical inventory highlights the potential financial and reputational risks associated with such breaches,” concluded Alastair Williams, Vice President, Worldwide Systems Engineering, Skybox Security.


Staff Correspondent at CPO Magazine