Chemical Security Assessment Tool (CSAT) Ivanti Notification

On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance. During the investigation, we identified that a malicious actor installed an advanced webshell on the Ivanti device. This type of webshell can be used to execute malicious commands or write files to the underlying system. Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period. Importantly, our investigation did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment.

CISA immediately took the system offline, isolated the application from the rest of the network, and began a forensic investigation. This investigation included technical experts from CISA’s Office of the Chief Information Officer, our Cybersecurity Division’s Threat Hunting team, and the Department of Homeland Security’s Network Operations Center. The investigation did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment. All information in CSAT was encrypted using AES 256 encryption, and information from each application had additional security controls limiting the likelihood of lateral access. Encryption keys were hidden from the type of access the threat actor had to the system.

CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed. Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).

For more on this type of malicious activity, visit Cybersecurity Alert (AA24-060B) Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways. 

Questions about this incident by chemical facilities or their third-party partners should be addressed to CISA Chemical Security at CFATS.Notifications@cisa.dhs.gov.

Individuals may reach out to CFATS.Notifications@cisa.dhs.gov for general questions or may contact the services call center established for potentially impacted individuals at (888) 377-7912.

Individuals whose information was submitted for vetting under the CFATS Personnel Surety Program by their employer or a third party between December 2015 and July 2023.

Identity protection services include credit monitoring, identity monitoring, identity theft insurance, and identity restoration services for a period of 18 months. For any questions regarding details of the identity protection services, please contact the services call center at (888) 377-7912. The services call center will be available 24 hours a day, 7 days a week.

To enroll in identity protection services, please contact (888) 377-7912. The services call center will be available 24 hours a day, 7 days a week.

Individuals have until February 2, 2025, to enroll in identity protection services. For any questions regarding details of the identity protection services, please contact the services call center at (888) 377-7912. The services call center is available 24 hours a day, 7 days a week.

The Department of Homeland Security performed a risk-based assessment as to which individuals may face adverse consequences if worst-case circumstances were realized. In this assessment, it was determined that individuals vetted under the CFATS Personnel Surety Program between December 2015 and July 2023 were the only population that faced this risk due to the information that was potentially exposed.

The Top-Screen was an online survey that gathered information from facilities that possessed chemicals of interest (COI) at or above screening thresholds quantities and/or concentration. Information submitted in a Top-Screen may have included (but was not limited to):

• Facility name and address
• COI amount (quantity and concentration)
• Chemical properties (e.g., phase, temperature, pressure)
• Chemical storage (e.g., container type)

All high-risk facilities were required to complete and submit an SVA to identify the facility's use of COI, critical assets, and measures related to the facility’s policies, procedures, and resources that were necessary to support the security plan. The SVA provided an analysis of the facility's security posture and potential vulnerabilities. Information submitted in an SVA may have included (but was not limited to):

• Cyber and physical security features
• Location of security features
• Use of COI and method of shipping/receiving COI

All high-risk facilities were required to submit a security plan that described existing or planned measures that met the CFATS risk-based performance standards (RBPS). Facilities may have submitted either an online-generated SSP or an ASP generated in their own template that holistically met security measures for their tier and security concern. Information submitted in an SSP/ASP may have included (but was not limited to):

• How vulnerabilities from SVA were addressed
• Security measures for each COI
• How security measures met or exceeded the RBPS, such as:
  • Type of delay barriers (fencing, locks, access control system)
  • Type of alarms
  • Type of cybersecurity controls

The CFATS Personnel Surety Program gathered Personally Identifiable Information (PII) about individuals seeking access to restricted areas and critical assets to be vetted for terrorist ties. At minimum, information provided under Personnel Surety Program must have included an individual’s name, date of birth, and citizenship or gender. Facilities may have chosen to provide additional PII, including aliases, place of birth, passport number, redress number, Global Entry ID number, or Transportation Worker Identification Credential (TWIC) ID number.