Chemical establishments placed under alert for suspected data pilferage by CISA
The Cybersecurity and Infrastructure Security Agency (CISA) has recently experienced a data breach, with the incident being discussed in a webinar led by CISA's associate director, Kelly Murray.
The breach involves the unauthorized access to personally identifiable information of at least 100,000 people, under the Federal Information Security Management Act of 2002. CISA has notified organizations representing more than 100,000 people of potential exposure following an attack targeting their systems in January.
The attack was linked to widely exploited zero-day vulnerabilities in Ivanti remote access VPNs. Malicious activity was identified on CISA's scanning systems on Jan. 26, and the affected Ivanti products are no longer in use by CISA.
CISA's analysis identified multiple accesses to a malicious webshell over a two-day period. However, the agency did not disclose what actions the attacker took when they accessed the webshell. The intrusion was traced back to January 23, and the system was completely taken offline when the intrusion was discovered.
The breach led to potential unauthorized access to top-screen surveys, security vulnerability assessments, site security plans, personnel surety program submissions, and CSAT user accounts. CISA found no evidence of data theft or lateral movement during the attack, but the modus operandi of the attackers indicates they could have obtained sensitive employee authentication credentials or other critical access information.
In response, CISA has emphasized the need for robust security measures such as phishing-resistant multifactor authentication for all access points, especially for webmail, VPNs, and critical systems. Additionally, CISA continues to provide advisories about current security vulnerabilities and necessary mitigations for industrial control systems.
Corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, with the question: Are we a target? The evolving role of CISOs involves better understanding the risk calculus of technology stacks.
It's important to note that the specific details on exact data stolen from CISA during the January attack are not explicit. However, the focus on enhanced authentication protocols and employee training reflects primary defensive actions. The CSAT system will remain offline until the Chemical Facility Anti-Terrorism Standards program is reauthorized.
Attackers started exploiting the vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in early December. Ivanti released a security patch for the CVEs on Jan. 31, but the fix came too late for CISA.
CISA has sent notifications to all potentially impacted organizations due to the breach meeting the threshold of a major incident. The notifications were required because of the potential risk to data and the inability to rule out access granted.
There is no indication that the breach involved patient or radiological data; a separate unrelated breach affected Northwest Radiologists and Washington State residents' personal information in January 2025.
The breach serves as a reminder for all organizations to prioritize cybersecurity and implement robust security measures to protect sensitive data.
In light of the data breach at CISA, there is a need for organizations to prioritize cybersecurity and implement robust measures, such as enhanced authentication protocols and employee training, to protect sensitive data from unauthorized access due to vulnerabilities in technology. The specific details on the exact data stolen from CISA during the January attack are not explicit, but the breach serves as a reminder that organizations should be proactive in addressing cybersecurity risks, especially as attackers continue to exploit vulnerabilities like CVE-2023-46805 and CVE-2024-21887.
