Nearly six months after hackers breached the systems of the Cybersecurity and Infrastructure Security Agency, the agency is telling potential victims the federal government still does not know the extent of the damage.
America’s top domestic cyber defense agency is struggling to define the scope and consequences of a hack of its systems that exposed a tool used to track facilities with dangerous chemicals.
“We hope that our security measures worked,” Kelly Murray, CISA associate director for chemical security, said on a webinar about the hack this week. “We have no evidence to state that they did not.”
CISA officials revealed last month that they spotted a breach of the agency’s Chemical Security Assessment Tool in January.
The agency said it saw no evidence data had been taken but notified participants in the Chemical Facility Anti-Terrorism Standards program about potential data exposed to the hackers. The agency warned in notification letters that hackers may have accessed the personally identifiable information of chemical facility personnel and visitors with special access at the facilities.
Asked during the webinar if the hackers could have taken a screenshot of the victims’ data, Ms. Murray said her agency did not have evidence that that had taken place.
“All we have, as far as evidence, is the ability to place the webshell and ping the webshell essentially on the device,” Ms. Murray said. “We do not have any evidence of any lateral movement within the system to perhaps get to a page to do a screenshot.”
The agency is not only scrambling to discover the hackers’ actions but also struggling to determine the full list of victims.
The exposed data includes historical information from more than a decade ago, and some of the government’s emails to potential victims are kicking back as undeliverable, according to the agency.
“We did get a lot of kickbacks from folks that may not have those emails or may not be working with those companies anymore, but make sure that you check your spam emails and other things to see if you received it,” Ms. Murray said of notifications from the agency on the webinar.
CISA said the federal government did not have contact information for every person whose data was potentially exposed, including some people vetted in the Personnel Surety Program.
The agency is asking institutions that may have been affected to reach out to individual victims if they know how to find them.
“So what we are requesting, on a completely voluntary basis, is that facilities notify these individuals if you have their contact information at your location,” Ms. Murray said.
Facilities reaching out to individual victims may not know what to say if they reach the victim.
Asked about the agency’s assessment of risk to chemical companies given that the agency said it saw no data exfiltration, Ms. Murray declined to answer and said the companies should make their own determinations.
“The risk tolerance is going to be different for every company,” she said on the webinar. “Everyone is going to have to look at the facts and decide for themselves as far as what actions they want to take and, what their concern, what their level of risk around this incident is.”
Tellingly, the agency itself published sample notification letters last week to victims of the breach that it translated into a wide variety of languages, including Arabic, Chinese, French, German, Hindi, Japanese, Korean, Spanish and Tagalog.
Congress’ level of concern is rising. Sen. Charles E. Grassley launched an investigation of the hack last week and said the agency’s failure put Americans at risk.
“These breaches of the agency tasked with the protection of our nation’s cybersecurity and infrastructure security [are] cause for serious concern,” the Iowa Republican wrote to CISA Director Jen Easterly July 3. “… It appears CISA hasn’t taken adequate steps to ensure the safety of its own systems, leaving the nation at risk.”
CISA has not publicly attributed the hack of its system to any specific cyberattacker.
The hack took advantage of Ivanti appliances, including Ivanti Connect Secure.
Mandiant, a cybersecurity firm owned by Google, partnered with CISA to issue an advisory about problems with Ivanti in February. The advisory points readers to Mandiant’s blog, which linked problems with Ivanti Connect Secure in January to a “China-nexus espionage threat actor.”
Potential victims who want to know who may have hacked them are unlikely to learn much more from the federal government. CISA told potential victims on the webinar it was done providing details of what it knows.
“We won’t and don’t currently have any plans to put out any additional incident report or details of the investigation at this time,” Ms. Murray said.
Congress may learn more details about the hack next. Mr. Grassley in his July 3 letter to CISA demanded more details about the hack and gave the agency a July 17 deadline to answer his questions.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.