Federal government’s lead cybersecurity agency reveals it was hacked

A version of this story appeared in the daily Threat Status newsletter from The Washington Times. Click here to receive Threat Status delivered directly to your inbox each weekday.

The Cybersecurity and Infrastructure Security Agency, the federal government’s premier anti-hacking agency, recently acknowledged that hackers breached its systems earlier this year to access details of its Chemical Security Assessment Tool, which the government uses to collect information from facilities with dangerous chemicals that could be weaponized by terrorists.

The federal cyber agency said it has notified participants in the Chemical Facility Anti-Terrorism Standards program about the digital intrusion and potentially exposed information.

The chemical assessment tool “was the target of a cybersecurity intrusion by a malicious actor from January 23-26, 2024,” CISA said on its website this month. “While CISA’s investigation found no evidence of exfiltration of data, this intrusion may have resulted in the potential unauthorized access of Top-Screen Surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts.”

While the agency said it had detected no stolen data, it warned in notification letters that the hackers may have accessed the personally identifiable information of chemical facility personnel and visitors to the facilities with access to restricted areas and high-risk chemicals.

CISA did not fully detail prospective victims but the agency published sample notification letters last week to victims of the breach that it translated into Arabic, Chinese, French, German, Hindi, Japanese, Korean, Spanish and Tagalog.

The agency did not identify the hackers responsible, but said the vector for the breach involved Ivanti appliances, including Ivanti Connect Secure.

“We identified that a malicious actor installed an advanced webshell on the Ivanti device,” the agency said in its sample notification letter. “This type of webshell can be used to execute malicious commands or write files to the underlying system. Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period.”

Mandiant, a cybersecurity firm, has tied recent problems with Ivanti Connect Secure to China-linked cyberattackers.

Mandiant partnered with CISA to issue an advisory about the problems with Ivanti in February. The advisory links to a Mandiant blog post from January saying it identified a “China-nexus espionage threat actor” exploiting the vulnerability.

U.S. officials have separately warned this year that China-sponsored cyberattackers are secretly pre-positioning themselves in critical U.S. infrastructure systems in order to conduct potential future attacks.

To answer questions about the newly revealed hack of CISA, the agency is holding webinars with stakeholders. The next meeting is scheduled for July 9.