Federal authorities expressed increased alarm Thursday about a long-undetected intrusion into U.S. and other computer systems around the globe that officials suspect was carried out by Russian hackers. The nation’s cybersecurity agency warned of a “grave” risk to government and private networks.
The hack compromised federal agencies and “critical infrastructure” in a sophisticated attack that was hard to detect and will be difficult to undo, the Cybersecurity and Infrastructure Security Agency said in an unusual warning message. The Department of Energy acknowledged it was among those that had been hacked.
“This is the first time we are aware of something this big happening, so I would definitely call that surprising,” said Ben Finke, co-founder of the Jacksonville-based cybersecurity firm OnDefend.
CISA officials did not respond to questions and so it was unclear what the agency meant by a “grave threat” or by “critical infrastructure” possibly targeted in the attack that the agency previously said appeared to have begun last March. Homeland Security, the agency’s parent department, defines such infrastructure as any “vital” assets to the U.S. or its economy, a broad category that could include power plants and financial institutions.
The agency previously said the perpetrators had used network management software from Texas-based SolarWinds to infiltrate computer networks. Its new alert said the attackers may have used other methods, as well.
Over the weekend, amid reports that the Treasury and Commerce departments were breached, CISA directed all civilian agencies of the federal government to remove SolarWinds from their servers. The cybersecurity agencies of Britain and Ireland issued similar alerts.
A U.S. official previously told The Associated Press that Russia-based hackers were suspected, but neither CISA nor the FBI has publicly said who is believed to be responsible. Asked whether Russia was behind the attack, the official said: “We believe so. We haven’t said that publicly yet because it isn’t 100% confirmed.”
Another U.S. official, speaking Thursday on condition of anonymity to discuss a matter that is under investigation, said the hack was severe and extremely damaging although the administration was not yet ready to publicly blame anyone for it.
“This is looking like it’s the worst hacking case in the history of America,” the official said. “They got into everything.”
Russian President Vladimir Putin denied having anything to do with the attacks. He said it’s from within the U.S. government.
“This anonymous person seems clear to me, who called these hackers criminals associated with Russian military intelligence. It’s the Department of State and the U.S. intelligence services. They are the authors in fact,” Putin said. “In any case, it was done on their instructions. This is quite obvious.”
At the Department of Energy, the initial investigation revealed that malware injected into its networks via a SolarWinds update has been found only on its business networks and has not affected national security operations, including the agency that manages the nation’s nuclear weapons stockpile, according to its statement. It said vulnerable software was disconnected from the DOE network to reduce any risk.
“The simple reality is that most organizations including government organizations don’t really have a plan when the tools they’re buying to help secure their networks are used against them,” Finke said.
The intentions of the perpetrators appear to be espionage and gathering information rather than destruction, according to security experts and former government officials. If so, they are now remarkably well situated.
Members of Congress said they feared that taxpayers’ personal information could have been exposed because the IRS is part of Treasury, which used SolarWinds software.
Tom Kellermann, cybersecurity strategy chief of the software company VMware, said the hackers are now “omniscient to the operations” of federal agencies they’ve infiltrated “and there is viable concern that they might leverage destructive attacks within these agencies” in reaction to U.S. response.
Among the business sectors scrambling to protect their systems and assess potential theft of information are defense contractors, technology companies and providers of telecommunications and the electric grid.
“A lot of really big companies, government organizations and groups across the world quite frankly are having to figure out how much access these attackers of had to their data for maybe the last nine months. Not that all of it would be interesting to them, but some of it certainly would be,” Finke said. “It’s just amazing they were able to pull this off and keep it quiet for this long.”
A group led by CEOs in the electric power industry said it held a “situational awareness call” earlier this week to help electric companies and public power utilities identify whether the compromise posed a threat to their networks.
And dozens of smaller institutions that seemed to have little data of interest to foreign spies were nonetheless forced to respond to the hack.
The Helix Water District, which provides drinking water to the suburbs of San Diego, California, said it provided a patch to its SolarWinds software after it got an advisory the IT company sent out about the hack to about 33,000 customers Sunday.
“While we do utilize SolarWinds, we are not aware of any district impacts from the security breach,” said Michelle Curtis, a spokesperson for the water district.
The FBI and other U.S. agencies are investigating.
Toni Chrabot, a former FBI supervisor who now runs Risk Confidence Group, said a slew of federal agents will try to unravel what happened and what the hackers had access to.
“Hackers are more and more sophisticated just like systems are more and more sophisticated and changing daily,” she said. “It will probably be very difficult.”