SAN FRANCISCO • The office of the US director of national intelligence has said it is likely Russia was behind a string of hacks identified last month that gained access to several federal agencies.
The office – along with the Federal Bureau of Investigation, the National Security Agency and the Department of Homeland Security’s Cyber-security and Infrastructure Security Agency – said in a joint statement on Tuesday that the hackers’ goal appeared to be collecting data, rather than any destructive acts. They said they had so far identified “fewer than 10” agencies that were hacked.
The agencies said that the actor, “likely Russian in origin, was responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks”.
The investigation is continuing, they said, and could turn up additional government victims.
It was the first formal statement of attribution by the Trump administration.
Elected officials briefed on the inquiry and Secretary of State Mike Pompeo had previously said Russia was behind the hacking spree, but President Donald Trump said it could have been China.
The incoming administration of Democrat Joe Biden has already promised a response to the SolarWinds hacks. And on Tuesday, the top Democrats on the congressional intelligence committees underscored that need.
“Congress will need to conduct a comprehensive review of the circumstances leading to this compromise, assess the deficiencies in our defences, take stock of the sufficiency of our response in order to prevent this from happening again, and ensure we respond appropriately,” said Mr Adam Schiff, head of the House committee.
Russian officials have denied involvement and did not respond to questions on Tuesday.
The penetration of departments including Defence, State, Homeland Security, Treasury and Commerce is already considered the worst known cyber compromise at least since electronic dossiers on most Americans with security clearances were taken from the Office of Personnel Management five years ago.
Officials briefed on the case said the main target of the hackers appeared to be e-mail. One official said no classified networks seem to have been breached and that fewer than 50 private companies had been fully compromised, a lower number than initially feared.
The security company FireEye, which was itself breached, discovered the new round of attacks, many of them traced to a tainted software update from SolarWinds, which makes widely used network-management programs.
It remains unknown how the hackers got deep inside SolarWinds’ production system as long as a year ago. Once in, they were able to slip “back doors” into two digitally signed updates of the company’s flagship Orion software.
As many as 18,000 customers downloaded those updates, which sent signals back to the hackers. At a small number of high-value targets, the group then manipulated access to cloud services in order to read e-mail messages or other content and potentially installed other back doors, making clean-up after discovery a daunting task.
A few major technology companies have said they had at least downloaded the bad code from SolarWinds, and Microsoft said on Dec 31 that the penetration had gone well beyond that, allowing the intruders to view its prized source code, where they might have looked for security flaws.
The attackers also hacked sellers of Microsoft services, which often maintain access to customers, to go after e-mail at non-SolarWinds customers, according to security company CrowdStrike Holding and Microsoft employees.
Microsoft and federal investigators have not said how many resellers were hacked or how many customers were affected.
The overall strategy of electronic infiltration through vendors, known as a supply-chain attack, is especially effective, and officials fear that the success of the current wave will encourage more of such acts.