Federal officials issued an urgent warning on Thursday that hackers who American intelligence agencies believed were working for the Kremlin used a far wider variety of tools than previously known to penetrate government systems, and said that the cyberoffensive was “a grave risk to the federal government”.
The discovery suggests that the scope of the hacking, which appears to extend beyond nuclear laboratories and Pentagon, treasury and commerce department systems, complicates the challenge for federal investigators as they try to assess the damage and understand what had been stolen.
Minutes after the statement from the cybersecurity arm of the department of homeland security, President-elect Joseph R. Biden Jr warned that his administration would impose “substantial costs” on those responsible.
“A good defence isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Biden said, adding, “I will not stand idly by in the face of cyberassaults on our nation.”
President Trump has yet to say anything about the attack.
Echoing the government’s warning, Microsoft said on Thursday that it had identified 40 companies, government agencies and think tanks that the suspected Russian hackers, at a minimum, had infiltrated. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms, like FireEye, that are charged with securing vast sections of the public and private sector.
“It’s still early days, but we have already identified 40 victims — more than anyone else has stated so far — and believe that number should rise substantially,” Brad Smith, Microsoft’s president, said in an interview on Thursday. “There are more non-governmental victims than there are governmental victims, with a big focus on IT companies, especially in the security industry.”
The energy department and its National Nuclear Security Administration, which maintains the US nuclear stockpile, were compromised as part of the larger attack, but its investigation found the hack did not affect “mission-essential national security functions”, Shaylyn Hynes, a department of energy spokeswoman, said in a statement.
“At this point, the investigation has found that the malware has been isolated to business networks only,” Hynes said..
Officials have yet to publicly name the attacker responsible, but intelligence agencies have told Congress that they believe it was carried out by the SVR, an elite Russian intelligence agency. A Microsoft “heat map” of infections shows that the vast majority — 80 per cent — are in the US, while Russia shows no infections at all.
The government warning, issued by the Cybersecurity and Infrastructure Security Agency, did not detail the new ways that the hackers got into the government systems. But it confirmed suspicions expressed this week by FireEye, a cybersecurity firm, that there were almost certainly other routes that the attackers had found to get into networks on which the day-to-day business of the US depend.
FireEye was the first to inform the government that the suspected Russian hackers had, since at least March, infected the periodic software updates issued by a company called SolarWinds, which makes critical network monitoring software used by the government, hundreds of Fortune 500 companies and firms that oversee critical infrastructure, including the power grid.
Investigators and other officials say they believe the goal of the Russian attack was traditional espionage, the sort the National Security Agency and other agencies regularly conduct on foreign networks. But the extent and depth of the hacking raise concerns that hackers could ultimately use their access to shutter American systems, corrupt or destroy data.
New York Times News Service
