Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Benedict Collins

CISA warns chemical facilities may have been hacked in CSAT breach

Factory.

Chemical facilities across the US that utilize the Cybersecurity & Infrastructure Security Agency’s (CISA) ‘Chemical Security Assessment Tool’ could be at risk following thanks to a data breach that reportedly struck in January 2024.

The attackers may have been able to access sensitive and confidential material relating to facility security assessments after abusing an Ivanti device to plant a webshell.

CSAT is supposed to help facilities stay on top of risk-assessments by providing a security vulnerability assessment (SVA) and site security plan (SSP) if they are determined to be a high-risk facility that could be targeted by terrorists.

 Exploited for months

Systems went offline as early as March 2024 in relation to an Ivanti device belonging to CISA that was exploited by attackers and reported by The Record, with two systems taken down for an investigation.

It has now been confirmed by CISA that a threat actor installed a webshell on the Ivanti Connect Secure device to maintain access, which the attacker then exploited multiple times over two days. The attacker abused three vulnerabilities tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

In the breach notification, CISA said, “CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed. Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).”

Using the exploited Ivanti device, the attacker may have had access to highly sensitive information such as site security plans, security vulnerability assessments, CSAT user accounts and submissions made to the personnel surety program.

Andrew Lintell, General Manager, EMEA, at Claroty said, “The chemical sector holds all the ingredients necessary for a recipe of destruction. In a time of increasing global tensions and nation-state backed attacks, the leaking of information of facilities holding dangerous chemicals could be a real issue. We’ve seen in the past where nation-states have tried to cause explosions in petrochemical plants which could have had disastrous consequences.”

“The leaking of site security plans (SSPs) could be the golden ticket for cybercriminals who want to infiltrate these facilities. As IT and OT networks converge, the potential for causing damage has grown significantly.  It is vital that organisations in the chemical sector implement network segmentation to prevent lateral movement across cyber-physical systems and restrict any unnecessary connectivity,” Lintell concluded.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.