WASHINGTON — The scope of a hack engineered by one of Russia’s premier intelligence agencies became clearer on Monday, when some Trump administration officials acknowledged that other federal agencies — the State Department, the Department of Homeland Security and parts of the Pentagon — had been compromised. Investigators were struggling to determine the extent to which the military, intelligence community and nuclear laboratories were affected by the highly sophisticated attack.
United States officials did not detect the attack until recent weeks, and then only when a private cybersecurity firm, FireEye, alerted American intelligence that the hackers had evaded layers of defenses.
It was evident that the Treasury and Commerce Departments, the first agencies reported to be breached, were only part of a far larger operation whose sophistication stunned even experts who have been following a quarter-century of Russian hacks on the Pentagon and American civilian agencies.
About 18,000 private and government users downloaded a Russian tainted software update — a Trojan horse of sorts — that gave its hackers a foothold into victims’ systems, according to SolarWinds, the company whose software was compromised.
Among those who use SolarWinds software are the Centers for Disease Control and Prevention, the State Department, the Justice Department, parts of the Pentagon and a number of utility companies. While the presence of the software is not by itself evidence that each network was compromised and information was stolen, investigators spent Monday trying to understand the extent of the damage in what could be a significant loss of American data to a foreign attacker.
The National Security Agency — the premier U.S. intelligence organization that both hacks into foreign networks and defends national security agencies from attacks — apparently did not know of the breach in the network-monitoring software made by SolarWinds until it was notified last week by FireEye. The N.S.A. itself uses SolarWinds software.
Two of the most embarrassing breaches came at the Pentagon and the Department of Homeland Security, whose Cybersecurity and Infrastructure Security Agency oversaw the successful defense of the American election system last month.
A government official, who requested anonymity to speak about the investigation, made clear that the Homeland Security Department, which is charged with securing civilian government agencies and the private sector, was itself a victim of the complex attack. But the department, which often urges companies to come clean to their customers when their systems are victims of successful attacks, issued an obfuscating official statement that said only: “The Department of Homeland Security is aware of reports of a breach. We are currently investigating the matter.”
Parts of the Pentagon were also affected by the attack, said a U.S. official who spoke on the condition of anonymity, who added that they were not yet sure to what extent.
“The D.O.D. is aware of the reports and is currently assessing the impact,” said Russell Goemaere, a Pentagon spokesman.
This was the second time in recent years that Russian intelligence agencies had pierced the State Department’s email systems. Six years ago, officials struggled to get Russian hackers out of their unclassified email systems, at times shutting down State’s communications with its own staff in an effort to purge the system.
Then, as now, State Department officials refused to acknowledge that Russia had been responsible. In an interview with Breitbart Radio News, Secretary of State Mike Pompeo deflected the question with generalities, saying that there had “been a consistent effort of the Russians to try and get into American servers, not only those of government agencies, but of businesses. We see this even more strongly from the Chinese Communist Party, from the North Koreans, as well.”
In fact, it is the Russians who have been consistently most effective, though in this case it was not clear which State Department systems they had extracted data from or how much. A State Department spokeswoman declined to comment.
Investigators were also focused on why the Russians targeted the Commerce Department’s National Telecommunications and Information Administration, which helps determine policy for internet-related issues, including setting standards and blocking imports and exports of technology that is considered a national security risk. But analysts noted that the agency deals with some of the most cutting-edge commercial technologies, determining what will be sold and denied to adversarial countries.
Nearly all Fortune 500 companies, including The New York Times, use SolarWinds products to monitor their networks. So does Los Alamos National Laboratory, where nuclear weapons are designed, and major defense contractors like Boeing, which declined on Monday to discuss the attack.
The early assessments of the intrusions — believed to be the work of Russia’s S.V.R., a successor to the K.G.B. — suggest that the hackers were highly selective about which victims they exploited for further access and data theft.
The hackers embedded their malicious code in the Orion software made by SolarWinds, which is based in Austin, Texas. The company said that 33,000 of its 300,000 customers use Orion, and only half of those downloaded the malign Russian update. FireEye said that despite their widespread access, Russian hackers exploited only what was considered the most valuable targets.
The Cybersecurity and Infrastructure Security Agency on Sunday issued a rare emergency directive warning federal agencies to “power down” the SolarWinds software. But that only prevents new intrusions; it does not eradicate Russian hackers who, FireEye said, planted their own “back doors,” imitated legitimate email users and fooled the electronic systems that are supposed to assure the identities of users with the right passwords and additional authentication.
“A supply chain attack like this is an incredibly expensive operation — the more you make use of it, the higher the likelihood you get caught or burned,” said John Hultquist, a threat director at FireEye. “They had the opportunity to hit a massive quantity of targets, but they also knew that if they reached too far, they would lose their incredible access.”
The chief executive officers of the largest American utility companies held an urgent call on Monday to discuss the possible threat of the SolarWinds compromise to the power grid.
For the N.S.A. and its director, Gen. Paul M. Nakasone, who also heads the U.S. Cyber Command, the attack ranks among the biggest crises of his time in office. He was brought in nearly three years ago as one of the nation’s most experienced and trusted cyberwarriors, promising Congress that he would make sure that those who attacked the United States paid a price.
Bookmarks