Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Hackers Compromised Ivanti Devices Used by CISA

Cybersecurity Agency Says 'No Operational Impact'
Hackers Compromised Ivanti Devices Used by CISA
The U.S. Cybersecurity and Infrastructure Security Agency says hackers compromised two of its Ivanti gateways. (Image: Shutterstock)

The U.S. Cybersecurity and Infrastructure Security Agency apparently had a good reason to urge federal agencies to reset vulnerable Ivanti VPN devices: Hackers breached two gateways used by CISA, forcing the agency to yank them offline.

See Also: Hunting Money Mules with a 360-Degree View of Identities

An agency official told Information Security Media Group on Friday afternoon the hacking "was limited to two systems" and added the agency "immediately took offline" the affected VPNs as it worked to mitigate any ongoing vulnerabilities.

The Record, which first reported the hack, cited a "source with knowledge of the situation" to report that the affected systems connected to the Infrastructure Protection Gateway and the Chemical Security Assessment Tool. The IP Gateway is a portal containing data such as security assessments of national significant critical infrastructure, and the CSAT houses private sector chemical security plans.

"CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses" in February, a spokesperson said. "We continue to upgrade and modernize our systems, and there is no operational impact at this time."

The agency has warned that hackers are stealing account credentials stored inside Ivanti gateways.

CISA last month gave federal agencies a midnight, Feb. 2 deadline for performing a factory reset on Ivanti devices amid a flurry of hacking against the Utah manufacturer's products instigated in December by Chinese nation-state hackers (see: Feds Face a Midnight Deadline for Resetting Ivanti Gateways).

Although the hacking wave may have started in Beijing, other threat actors with diverse motives including cryptomining took the January disclosure of zero-days as a reason to start their own rounds of illicit penetration. Their chances grew amid glitches with Ivanti's integrity checker tool and the disclosure of three additional zero-days in late January and early February.

CISA on Feb. 29 warned that hackers could preserve access to a compromised device even after a factory reset - findings that Ivanti disputed by arguing that CISA's findings don't reproduce in production environments. "Outside of a lab environment, this action would break the connection with the box, and thus would not gain persistence," an Ivanti spokesperson said at the time (see: Ivanti Disputes CISA Findings of Post-Factory Reset Hacking).

An agency spokesperson on Friday described its own cyberattack as "a reminder that any organization can be affected by a cyber vulnerability," and added that "having an incident response plan in place is a necessary component of resilience."

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.