CISA forced to take two systems offline last month after Ivanti compromise

Hackers breached the systems of the Cybersecurity and Infrastructure Security Agency (CISA) in February through vulnerabilities in Ivanti products, officials said.

A CISA spokesperson confirmed to Recorded Future News that the agency “identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses” about a month ago.

“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.”

CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline. Ivanti makes software that organizations use to manage IT, including security and system access.

A source with knowledge of the situation told Recorded Future News that the two systems compromised were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans. CISA declined to confirm or deny whether these are the systems that were taken offline.

CSAT houses some of the country’s most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.

CISA said organizations should review an advisory the agency released on February 29 warning that threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways including CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.

Last week, several of the world’s leading cybersecurity agencies revealed that hackers had discovered a way around a tool Ivanti released to help organizations check if they had been compromised.

CISA said during “multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.”

Hackers were able to steal credentials on Ivanti devices and expand their access to, in some cases, full domain compromise.

“The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment,” they said.

Ivanti’s mobile endpoint management software is popular among governments around the world and several vulnerabilities in the company’s products have allowed hackers to remotely access victims’ personally identifiable information, such as names, phone numbers and other mobile device details. An attacker can also make other configuration changes, including creating an administrative account that can make further changes to a vulnerable system, CISA said in a security alert last year.

Since 2020, CISA has warned organizations of state-backed hackers — including ones linked to China — exploiting vulnerabilities in Ivanti products.

Unidentified hackers began exploiting a new vulnerability affecting Ivanti products in attacks targeting the Norwegian government in April 2023, compromising a dozen state ministries.

CISA, Ivanti and several security companies, including Mandiant and Volexity, raised alarms about two vulnerabilities in early January that were allegedly being exploited by Chinese state-backed espionage hackers. News of the bugs prompted cybercriminals and others to attempt to exploit them as well.

Agency officials previously told reporters that there are “around 15 agencies that were using these products” but declined to confirm if any dealt with compromises. The agencies using the tools cover “a wide spectrum… across the breadth of the federal mission,” an official said.

Another two vulnerabilities were discovered affecting the same products, with one of them confirmed to have been used in attacks on Ivanti customers — which include hundreds of government agencies around the world.

The two new vulnerabilities prompted CISA to order all federal civilian agencies in the U.S. to disconnect Ivanti Connect Secure and Policy Secure products by February 2. CISA later updated its advisory on February 9 to say that products could be turned back on after they were patched.