Cybersecurity and Infrastructure Security Agency (CISA), which safeguards networks and systems across federal, state, local, tribal, and territorial governments, appears to have had one or more of its own systems breached by unknown hackers.
“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.
In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed SSL VPN, while Ivanti Policy Secure (IPS) is a network access control (NAC) solution.
Now, CISA itself has fallen victim to a cyberattack involving Ivanti products.
CISA Forced to Take its Systems Offline
It is believed that two of CISA’s internal systems were compromised in the attack, prompting agency officials to take both offline as a precaution. At this early stage, authorities have reported no discernible operational impacts of the CISA hack.
Unnamed sources provide preliminary details on CISA’s breached systems, noting they included the Infrastructure Protection Gateway – a database containing vital interdependence mappings of United States infrastructure networks.
Also targeted was said to be the Chemical Security Assessment Tool, an online portal housing highly confidential chemical facility safety plans filed under the Chemical Facility Anti-Terrorism Standards.
This tool holds risk determinations and sensitive data disclosed by private sector energy and chemical sites to help secure them against terrorism under CFATS regulations. Both systems housing strategic vulnerability information are now being carefully examined by investigators.
CISA did not confirm or deny which of their systems were taken offline.
Authors of CISA Attack Are Still Unidentified
While responsibility for the CISA breach remains unspecified at this stage, earlier reports linked hackers suspected of Chinese state-backing to exploiting flaws in Ivanti technology products. Analysis from security researchers points to actors pursuing spying goals.
Cybersecurity firms Volexity and Mandiant uncovered evidence of real-world attacks leveraging two remote code execution bugs in Ivanti Connect Secure VPN appliances, allowing unauthorized access.
Volexity’s investigators detailed ongoing exploitation of these vulnerabilities and tied the activities to a threat group tracked internally as UTA0178.
This team is outlined as a “Chinese state-sponsored cyber threat actor” based on operational patterns and targeting seen in past intrusions.
Should linkages to the CISA hack emerge, it would represent a serious cyber espionage incident against US government infrastructure oversight networks.
For now, the trail of clues suggests a determined and sophisticated adversary may be involved in ongoing efforts to access sensitive US sector and agency systems through supply chain compromises.
Mandiant, which tracks the attack group as UNC5221, believes the threat actors are conducting an “espionage-motivated APT campaign.” Mandiant investigators shared details of five malware families associated with the exploitation of Ivanti devices. The malware allows hackers to circumvent authentication and provide backdoor access to these devices.
Ivanti Shares Security Advisory after CISA Breach
Ivanti has publicly shared a security advisory and support article with recommendations to help bolster defenses against future exploitation of the disclosed vulnerabilities. While following the guidance can help block new intrusions, it does not undo any past or existing infiltrations.
Incident response teams are strongly advised to meticulously examine networked environments for indicators that compromise had already been achieved.
This type of proactive, ongoing security improvement should serve as a model for all organizations grappling with sophisticated threat actors constantly advancing their tactics.
