CISA warns chemical facilities may have been hacked in CSAT breach
Attacker may have site security plans for chemical facilities all over the US, CISA warns
Chemical facilities across the US that utilize the Cybersecurity & Infrastructure Security Agency’s (CISA) ‘Chemical Security Assessment Tool’ could be at risk following thanks to a data breach that reportedly struck in January 2024.
The attackers may have been able to access sensitive and confidential material relating to facility security assessments after abusing an Ivanti device to plant a webshell.
CSAT is supposed to help facilities stay on top of risk-assessments by providing a security vulnerability assessment (SVA) and site security plan (SSP) if they are determined to be a high-risk facility that could be targeted by terrorists.
Exploited for months
Systems went offline as early as March 2024 in relation to an Ivanti device belonging to CISA that was exploited by attackers and reported by The Record, with two systems taken down for an investigation.
It has now been confirmed by CISA that a threat actor installed a webshell on the Ivanti Connect Secure device to maintain access, which the attacker then exploited multiple times over two days. The attacker abused three vulnerabilities tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.
In the breach notification, CISA said, “CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed. Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).”
Using the exploited Ivanti device, the attacker may have had access to highly sensitive information such as site security plans, security vulnerability assessments, CSAT user accounts and submissions made to the personnel surety program.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Andrew Lintell, General Manager, EMEA, at Claroty said, “The chemical sector holds all the ingredients necessary for a recipe of destruction. In a time of increasing global tensions and nation-state backed attacks, the leaking of information of facilities holding dangerous chemicals could be a real issue. We’ve seen in the past where nation-states have tried to cause explosions in petrochemical plants which could have had disastrous consequences.”
“The leaking of site security plans (SSPs) could be the golden ticket for cybercriminals who want to infiltrate these facilities. As IT and OT networks converge, the potential for causing damage has grown significantly. It is vital that organisations in the chemical sector implement network segmentation to prevent lateral movement across cyber-physical systems and restrict any unnecessary connectivity,” Lintell concluded.
Via BleepingComputer
More from TechRadar Pro
- These are the best endpoint protection solutions
- Stopping Chinese cyberattacks is officially now the biggest priority for US security forces
- Take a look at our guide to the best malware removal
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.