A federal cybersecurity agency was hacked last month through a VPN software vulnerability developed by a company with many government clients worldwide.
The Cybersecurity and Infrastructure Security Agency (CISA) was hacked in February, according to its Feb. 29 joint statement with the FBI and other national and foreign cyber-security agencies, including UK, Canada, Australia, and New Zealand agencies. According to CNN, citing a CISA spokesperson, the hack forced CISA to take two critical systems offline.
The hack was possible due to a vulnerability in Virtual Private Network (VPN) software produced by Utah-based IT firm Ivanti, which has hundreds of government agencies as clients worldwide.
A CISA spokesperson said in a statement that “there is no operational impact at this time” from the incident and that the agency continues to “upgrade and modernize our systems.”
“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience,” the spokesperson said, adding that the impact from the hack “was limited to two systems, which we immediately took offline.”
CISA does not clearly state that it was hacked in its statement, saying it indirectly, “Based upon the authoring organizations’ observations during incident response activities,” in its advisory.
The advisory also states, “CISA has responded to multiple incidents related to the above vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways,” meaning that CISA itself was hacked.
The Ivanti Connect Secure is a VPN software.
CISA declined to confirm or reject claims regarding which two systems went offline, but U.S. officials said one was for sharing cyber and physical security tools among federal, state, and local officials, and the other was for sharing information from security assessments of chemical facilities.
CISA is part of the Department of Homeland Security. It investigates cyber intrusions at federal agencies and advises private critical infrastructure firms on how to bolster their security.
CISA did not disclose the attacker.
An Ivanti spokesperson told NTD that “the 29 February [CISA] advisory does not contain information on a new vulnerability.”
Ivanti also said that “Customers that patched and executed a successful factory reset (hardware) or deployed a new build (virtual) would not be at risk from the activity outlined in CISA’s report. ”
It also said it is not “aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”
The two vulnerable software were Connect Secure, which is the VPN, and Policy Secure.
The Ivanti Policy Secure is a “central policy management server that validates the user’s identity, determines the endpoint’s security compliance, and manages network policies,” according to Ivanti’s webpage.
CISA said in the advisory that “A cyber threat actor may be able to gain root-level persistence despite the victim having issued factory resets on the Ivanti device.”
CISA Warns About Ivanti VPN
In January, CISA issued an emergency directive urging agencies to mitigate vulnerabilities in Ivanti Connect Secure VPN devices and its Policy Secure tools.
The directive also required federal agencies to remove compromised products from agency networks and report any indications of compromise to CISA.
CISA said it had observed “widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions,” which could pose “an unacceptable risk” to federal agencies.
According to a report by The Record, this happened before CISA’s own attack via the Ivanti VPN in February.
According to the January CISA directive, the consequences of using the vulnerable software could be dire, as successful exploitation of vulnerabilities would allow a threat actor to “move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.”
“This directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation,” it added.
CISA issued its directive just weeks after cyber security firm Volexity said it found active exploitation of two vulnerabilities allowing “unauthenticated remote code execution” in Ivanti Connect Secure VPN.
Researchers at Volexity suspected that a “Chinese nation-state-level threat actor” was behind the exploitation.
Volexity said it discovered “two different zero-day exploits,” which were being chained together to achieve unauthenticated remote code execution.
The researchers said, “When combined, these two vulnerabilities make it trivial for attackers to run commands on the system.”
“In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance,” they added.
CISA Warns About Ivanti Mobile Software
Even before January, CISA had also—for several weeks—been urging federal agencies and private firms to update their software or take other defensive measures in response to other widespread exploitation of Ivanti vulnerabilities by hackers.
Ivanti products have caused upheaval and hacks several times in the United States and abroad. Private researchers have previously told CNN that a Chinese group focused on espionage is among the hackers exploiting the flaws.
In a recent incident, CISA announced in 2023 that Ivanti software for mobile phones has a vulnerability that allows for the theft of “names, phone numbers, and other mobile device details.” An attacker could also make “other configuration changes, including installing software and modifying security profiles” on a compromised phone.
“Active exploitation of this vulnerability” has happened, CISA said, basing it on a “credible” Ivanti source.
CISA’s Troubled Record
According to a 2023 report released by the House Committee on the Judiciary and the Select Subcommittee on the Weaponization of the Federal Government, CISA tried to cover up its domestic censorship practices.
Previously undisclosed, nonpublic documents have revealed that CISA acted beyond its power to surveil speech on social media and colluded with Big Tech companies like Twitter and government-funded third parties to “censor by proxy.”
Messages presented in the report show that CISA then tried to conceal its “plainly unconstitutional activities” from the public.
The report highlights particularly concerning practices, such as CISA’s contemplation of establishing a “rapid response” anti-misinformation team, relocating censorship operations to a third-party nonprofit to avoid negative perceptions, and the agency’s intention to employ the non-profit as a mouthpiece to evade accusations of government propaganda.
NTD reached out to CISA for a comment but did not receive a response by press time.
Aldgra Fredly, Caden Pearson, and the CNN Wire contributed to this report.
