The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that two of its critical systems were breached by hackers in February, exploiting vulnerabilities in Ivanti products used by the agency. In response to the incident, CISA was forced to take the affected systems offline, highlighting the ongoing threats faced by government agencies and organizations worldwide.
A CISA spokesperson told Recorded Future News that the agency "identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses" about a month ago. "The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time," the spokesperson said.
The two compromised systems, according to a source with knowledge of the situation, were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which contains private sector chemical security plans. CSAT houses some of the country's most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans, and Security Vulnerability Assessments.
CISA declined to provide specific details about who was behind the incident, whether data had been accessed or stolen, and what systems were taken offline. However, the agency emphasized that the breach serves as a reminder that any organization can be affected by a cyber vulnerability and that having an incident response plan in place is a necessary component of resilience.
The hackers responsible for the attack have not been identified, but they took advantage of weaknesses in widely used virtual private networking software created by Ivanti, a company based in Utah. According to information from private researchers, CNN reported that a Chinese group focused on gathering secret information has been exploiting these weaknesses.
To protect more systems, CISA has been advising government agencies and private companies to update their software or use other protective measures, as hackers have been taking advantage of these vulnerabilities for some time. In February, CISA ordered all federal civilian agencies in the U.S. to disconnect Ivanti Connect Secure and Policy Secure products by February 2, later updating its advisory on February 9 to say that products could be turned back on after they were patched.
Last week, several of the world's leading cybersecurity agencies revealed that hackers had discovered a way around a tool Ivanti released to help organizations check if they had been compromised. CISA said that during "multiple incident response engagements associated with this activity, CISA identified that Ivanti's internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets."
Hackers were able to steal credentials on Ivanti devices and expand their access to, in some cases, full domain compromise. The authoring organizations strongly urged all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.
Since 2020, CISA has warned organizations of state-backed hackers-including ones linked to China-exploiting vulnerabilities in Ivanti products. Unidentified hackers began exploiting a new vulnerability affecting Ivanti products in attacks targeting the Norwegian government in April 2023, compromising a dozen state ministries.
The breach of CISA's systems underscores the persistent threats posed by cybercriminals and state-backed hackers, who continuously seek to exploit vulnerabilities in widely used software and products. As government agencies and organizations work to bolster their cybersecurity defenses, the incident serves as a stark reminder of the need for vigilance, regular software updates, and robust incident response plans to mitigate the impact of potential breaches.
