CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed Thursday its collaboration with private industry partners to address a recent security breach identified by independent researchers affecting Sisense, a data analytics service provider. CISA has confirmed its proactive involvement in working closely with private sector allies to manage this incident, particularly concerning critical infrastructure sector entities that have been affected. 

In its alert, CISA urges Sisense customers to reset credentials and secrets potentially exposed to, or used to access, Sisense services; and investigate—and report to CISA—any suspicious activity involving credentials potentially exposed to or used to access Sisense services.

In a Thursday LinkedIn post, investigative reporter Brian Krebs posted a screenshot of the CISO’s customer email. It detailed “There is something potentially huge popping up now. Has to do with a compromise at business intelligence vendor Sisense. I’m hearing this is a supply chain attack affecting many millions of credentials and hundreds of tenants. This is a message the Sisense CISO just sent to customers.”

Samgram Dash, chief information security officer at Sisense wrote “We are aware of reports that certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet). We are taking this matter seriously and promptly commenced an investigation. We engaged industry-leading experts to assist us with the investigation.” 

He added that the “matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application. Should you have any questions related to this matter, please email [email protected].”

At Sisense, Dash noted, “This is a proactive measure to ensure that our customers are secure.”

Based in New York, Sisense accelerates product innovation through AI/ML capabilities. Its global analytics platform lets customers drive better, faster decisions for their business and end-users.

Commenting on the Sisense breach, Chris Hughes, chief security advisor at supply chain security company Endor Labs and cyber innovation fellow at CISA, wrote in an emailed statement “There could be several scenarios that play out of this incident, which as CISA has pointed out impacts critical infrastructure organizations as well. The credentials for example that may have been exposed may be used by customers and users in other environments and can be utilized by attackers to now pivot to other environments and systems that the Sisense incident exposed.”  

“This highlights the continued interest by malicious attackers when it comes to targeting widely used software products and suppliers including those used by critical infrastructure entities,” according to Hughes. “Attackers continue to realize the value in focusing on software suppliers rather than targeting a single organization. They can attack a large software supplier or open-source project and have a massive downstream impact across the entire software ecosystem. The software supply chain remains the soft underbelly of the digital environment. 

Hughes added that these risks can be mitigated by organizations taking several steps such as comprehensively inventorying who their software suppliers are, and understanding what security practices and controls they have in place. “They can also run through various contingency plans and tabletop scenarios to plan how to respond when, not if, their next software supplier is impacted in a software supply chain attack. Organizations need to start taking a hard look at their software suppliers and ensuring that those suppliers are part of their broader security program and integrated into key activities such as cybersecurity supply chain risk management and third party risk.”

Jim Routh, chief trust officer at Saviynt, wrote in an emailed statement that these types of software supply chain attacks are only possible through compromised developer credentials and account information from an employee or contractor. “This incident highlights the need for enterprises to improve IAM capabilities for cloud-based services and third parties.”

Last December, the U.S. National Security Agency (NSA) released the Cybersecurity Information Sheet (CSI) in response to an increase in cyberattacks on supply chains over the past five years, including targeted attacks on software supply chains. The CSI provides network owners and operators with guidance for incorporating effective SBOM management to help protect the cybersecurity supply chain, with a focus on and some additional guidance for national security systems (NSS).

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.