CISA warns chemical facilities may have been hacked in CSAT breach

(Image credit: Pixabay)

Chemical facilities across the US that utilize the Cybersecurity & Infrastructure Security Agency’s (CISA) ‘Chemical Security Assessment Tool’ could be at risk following thanks to a data breach that reportedly struck in January 2024.

The attackers may have been able to access sensitive and confidential material relating to facility security assessments after abusing an Ivanti device to plant a webshell.

CSAT is supposed to help facilities stay on top of risk-assessments by providing a security vulnerability assessment (SVA) and site security plan (SSP) if they are determined to be a high-risk facility that could be targeted by terrorists.

 Exploited for months

Systems went offline as early as March 2024 in relation to an Ivanti device belonging to CISA that was exploited by attackers and reported by The Record, with two systems taken down for an investigation.

It has now been confirmed by CISA that a threat actor installed a webshell on the Ivanti Connect Secure device to maintain access, which the attacker then exploited multiple times over two days. The attacker abused three vulnerabilities tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

In the breach notification, CISA said, “CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed. Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).”

Using the exploited Ivanti device, the attacker may have had access to highly sensitive information such as site security plans, security vulnerability assessments, CSAT user accounts and submissions made to the personnel surety program.

Andrew Lintell, General Manager, EMEA, at Claroty said, “The chemical sector holds all the ingredients necessary for a recipe of destruction. In a time of increasing global tensions and nation-state backed attacks, the leaking of information of facilities holding dangerous chemicals could be a real issue. We’ve seen in the past where nation-states have tried to cause explosions in petrochemical plants which could have had disastrous consequences.”

“The leaking of site security plans (SSPs) could be the golden ticket for cybercriminals who want to infiltrate these facilities. As IT and OT networks converge, the potential for causing damage has grown significantly.  It is vital that organisations in the chemical sector implement network segmentation to prevent lateral movement across cyber-physical systems and restrict any unnecessary connectivity,” Lintell concluded.

Via BleepingComputer

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division). Benedict then continued his studies at a postgraduate level and achieved a distinction in MA Security, Intelligence and Diplomacy. Benedict transitioned his security interests towards cybersecurity upon joining TechRadar Pro as a Staff Writer, focussing on state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.