Ivanti-linked breach of CISA potentially affected more than 100,000 individuals

A senior CISA official shared details with CyberScoop regarding the incident after the agency notified Congress about it on Friday.
Brandon Wales of the Cybersecurity and Infrastructure Security Agency speaks during a Senate Homeland Security and Governmental Affairs Committee hearing on May 11, 2021 in Washington, D.C. (Photo by Tasos Katopodis/Getty Images)

The Cybersecurity and Infrastructure Security Agency notified lawmakers on Friday that the recent breach of its chemical plant security tool that was linked to flawed Ivanti products potentially affected more than 100,000 individuals, triggering disclosure to Congress under a federal cybersecurity law. 

The size of the breach makes it a “major incident” under the threshold established by the Federal Information Security Management Act. Hackers breached the Chemical Security Assessment Tool (CSAT), which houses information about chemical plant security plans, as well as another CISA system, CISA Gateway, which is a portal for tools to help secure critical infrastructure. The agency said it is also beginning to notify affected people and companies.

A CISA official said there’s no evidence that the hackers stole data after exploiting a vulnerability in Ivanti products, and the breach had no operational impact even though it compelled CISA to take the systems offline.

“That is something we looked hard for and it was one of the primary reasons that we waited this long, as we wanted to see if we could find any evidence of exfiltration,” Brandon Wales, CISA’s executive director, told CyberScoop. The agency is also sharing further details in the spirit of transparency, he said.


With an internal investigation led by the agency’s chief information officer and threat hunting team wrapping up, Wales said their examination of the incident revealed that the attackers deployed a webshell against the CSAT tool and that there was “a loss of control in the system,” further pushing the agency to make disclosures to Congress. By contrast, the compromise of the gateway was “quite limited,” he said, and hackers did not deploy a webshell.

News of the CISA breach broke earlier this month, but the breaches date back to January, Wales said. That’s when details of an Invanti vulnerability first became public. CISA itself issued an alert about the vulnerability that the hackers used to get into CISA’s systems.

CISA implemented the vendor-recommended fixes on Jan. 11 and ran daily checks using a tool Ivanti created that was supposed to find device compromises, Wales said. On Jan. 26, CISA discovered the CSAT application was compromised; the attackers, it turned out, had access to the device for two days, he said.

The hackers were able to bypass the Ivanti mitigations and the Ivanti “integrity checker,” Wales said.

CSAT is used under the Chemical Facility Anti-Terrorism Standards program, which requires screening of people with access to high-risk chemicals against the Terrorist Screening Database. CSAT stores information on those individuals and related companies. However, the law that created that program lapsed last July, and CISA’s CSAT website notes that as a result it’s not currently requiring facilities to submit information to CSAT.


Wales said CISA is keeping CSAT offline while it completes technological improvements to the system, and until the chemical plant security law is reauthorized.

CISA has already briefed the Hill on details about the incident, he said. Friday’s notification to the House and Senate appropriations panels, the Senate Homeland Security and Governmental Affairs Committee, the Senate’s Commerce panel, the House Homeland Security Committee, the House Oversight and Accountability Committee and the House Science, Space and Technology panel is a response to the requirements under the federal cybersecurity law.

While the government hasn’t identified who has been exploiting the Ivanti vulnerability,  cybersecurity firms have pinned blame on China-linked hackers.

The breach at CISA comes with important lessons, Wales said. First, the agency had an incident response plan and took action quickly as soon as it had indications of a problem. Second, CISA used information gleaned from the compromise to alert others — illustrating the value of information sharing that CISA has been campaigning for among industry.

“Third is, I think every company and any agency that suffers a compromise is going to get to learn things about where it needs to make improvements, and we are going through that process now, and our CIO is taking lessons where we need to make improvements in our systems based upon this incident and the findings of the investigation,” Wales said. “That is improving the security of every one of CISA’s systems.”

Latest Podcasts