The Cybersecurity and Infrastructure Security Agency says the federal government still does not know the extent of the damage from a hack nearly six months ago.
The nation’s top domestic cyber defense agency is struggling to define the scope and consequences of a hack of its systems that exposed a tool used to track facilities with dangerous chemicals.
“We hope that our security measures worked,” Kelly Murray, CISA associate director for chemical security, said in a webinar this week. “We have no evidence to state that they did not.”
CISA officials revealed last month that they spotted a breach of the agency’s Chemical Security Assessment Tool in January.
The agency found no evidence that data had been taken but notified participants of the Chemical Facility Anti-Terrorism Standards program about potential data exposure to hackers. In notification letters, the agency said hackers may have accessed the personally identifiable information of chemical facility personnel and visitors with special access to the facilities.
When asked during the webinar whether the hackers could have taken a screenshot of the data, Ms. Murray said her agency had no evidence.
“All we have, as far as evidence, is the ability to place the webshell and ping the webshell essentially on the device,” Ms. Murray said. “We do not have any evidence of any lateral movement within the system to perhaps get to a page to do a screenshot.”
The agency is scrambling to determine the full list of those affected.
Some of the exposed data dates back more than a decade, the agency said, and government emails to some who may have been affected are kicking back as undeliverable.
“We did get a lot of kickbacks from folks that may not have those emails or may not be working with those companies anymore, but make sure that you check your spam emails and other things to see if you received it,” Ms. Murray said of agency notifications of the webinar.
CISA said the federal government did not have contact information for everyone whose data may have been exposed, including some vetted in the Personnel Surety Program.
The agency is asking institutions to reach out to individuals if they know how to find them.
“So what we are requesting, on a completely voluntary basis, is that facilities notify these individuals if you have their contact information at your location,” Ms. Murray said.
Asked about the assessment of risk to chemical companies given that the agency said it saw no data exfiltration, Ms. Murray said the companies should make their own determinations.
“The risk tolerance is going to be different for every company,” she said. “Everyone is going to have to look at the facts and decide for themselves as far as what actions they want to take and what their concern, what their level of risk around this incident is.”
The agency published sample notification letters last week to those affected by the breach that it translated into various languages, including Arabic, Chinese, French, German, Hindi, Japanese, Korean, Spanish and Tagalog.
Congress’ level of concern is rising. Sen. Charles E. Grassley, Iowa Republican, launched an investigation into the hack last week and said the agency’s failure put Americans at risk.
“These breaches of the agency tasked with the protection of our nation’s cybersecurity and infrastructure security [are] cause for serious concern …,” Mr. Grassley wrote to CISA Director Jen Easterly on July 3. “It appears CISA hasn’t taken adequate steps to ensure the safety of its own systems, leaving the nation at risk.”
CISA has not publicly attributed the hack of its system to any specific cyberattacker.
The hack took advantage of Ivanti appliances, including Ivanti Connect Secure.
Mandiant, a cybersecurity firm owned by Google, partnered with CISA to issue an advisory about problems with Ivanti in February. The advisory pointed readers to Mandiant’s blog, which linked problems with Ivanti Connect Secure in January to a “China-nexus espionage threat actor.”
Those affected are unlikely to learn much more about the hackers from the federal government. CISA said it held the webinar to provide details of what it knows.
“We won’t and don’t currently have any plans to put out any additional incident report or details of the investigation at this time,” Ms. Murray said.
In his letter to CISA, Mr. Grassley demanded more details about the hack and gave the agency a July 17 deadline to answer his questions.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.