CISA confirms hackers may have accessed data from chemical facilities during January incident

Hackers may have accessed sensitive information about the nation’s chemical facilities during a cyberattack in January, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Monday. 

Recorded Future News first reported on the incident in March, and CISA confirmed at the time that two systems were taken offline in response to the attack, which was conducted through a vulnerability in Ivanti IT products

In an advisory on Monday, CISA explained that the Chemical Security Assessment Tool (CSAT) was the “target of a cybersecurity intrusion by a malicious actor from January 23-26.”

CISA said all of the data in CSAT, which houses some of the country’s most sensitive industrial information, was encrypted and the encryption keys were "hidden from the type of access the threat actor had to the system." 

Nonetheless, the agency is warning all impacted participants in the program "out of an abundance of caution that this information could have been inappropriately accessed."

It found no evidence that the hackers exfiltrated data but noted the intrusion “may have resulted in the potential unauthorized access” to site security plans, security vulnerability assessments (SVA), and user accounts within the CSAT system.

They also may have accessed “Top-Screen surveys,” which carry information on facilities, including the quantity and concentration of chemicals, their properties, and types of containers used to store them. 

High-risk chemical facilities are required to submit SVAs that outline the facility’s critical assets as well as cyber and physical security policies and procedures — providing an analysis of the facility’s security posture and potential vulnerabilities. 

The other documents held in the system covered how cyber and physical vulnerabilities were addressed by chemical facilities and what kind of alarms, barriers and cybersecurity controls are in place.

The cybersecurity agency has already notified participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the intrusion and the potentially impacted information.

“While the investigation found no evidence of credentials being stolen, CISA encourages individuals who had CSAT accounts to reset passwords for any account, business or personal, which used the same password,” CISA explained, urging organizations that use Ivanti products to read a February advisory about recent vulnerabilities affecting the company’s tools.  

CISA noted that it cannot directly contact people who had their information submitted by chemical facilities for terrorist vetting because they did not collect addresses or contact information as part of the CFATS Personnel Surety Program. 

Anyone whose information was submitted for vetting between December 2015 and July 2023 is affected by the incident, and identity protection services will be provided to those impacted. 

CISA discovered the intrusion on January 26, when it found hackers installing tools on an Ivanti device. An investigation revealed that the hackers had accessed the system multiple times over a two-day period. 

Several departments within CISA, as well as the Department of Homeland Security, were involved in the investigation and found no hacker access beyond the Ivanti device. 

“Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA),” CISA said. 

“CISA is in the process of establishing a call center for impacted individuals; however, at the time of the emailing of the notification, the center has not been stood up.”

CISA did not respond to requests for comment, both on Monday and in previous attempts in March, about who was behind the attack. Since 2020, the agency has warned organizations of state-backed hackers — including ones linked to China — exploiting vulnerabilities in Ivanti products.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.