LONDON — The scale of a sophisticated cyberattack on the U.S. government that was unearthed this week is much bigger than many first anticipated.
The Cybersecurity and Infrastructure Security Agency (CISA) said in a summary on Thursday that the threat “poses a grave risk to the federal government.”
It added that “state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations” are also at risk.
CISA believes that the attack began at least as early as March 2020. Since then, multiple government agencies have reportedly been targeted by the hackers with confirmation from just the energy and commerce departments so far.
“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,” said CISA. “Removing the threat actor from compromised environments will be highly complex and challenging.”
CISA has not said who it thinks is the “advanced persistent threat actor” behind the “significant and ongoing” campaign but some experts are pointing the finger at Russia.
“The magnitude of this ongoing attack is hard to overstate,” wrote ex-Trump Homeland Security Advisor Thomas Bossert in a piece for The New York Times on Thursday. “The Russians have had access to a considerable number of important and sensitive networks for six to nine months.”
Russian presidential spokesman Dmitry Peskov told the Tass news agency that he rejects the accusations.
“Even if it is true there have been some attacks over many months and the Americans managed to do nothing about them, possibly it is wrong to groundlessly blame Russians right away. We have nothing to do with this,” he reportedly said.
The Russian embassy in London did not immediately respond to CNBC’s request for comment.
The FBI said it is “investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors” in a joint statement with CISA and the Office of the Director of National Intelligence on Wednesday.
At this stage, it’s not clear exactly what the hackers have done beyond accessing top-secret government networks and monitoring data.
Hackers also accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, according to Politico magazine, which cited officials familiar with the matter.
CISA said those behind the attack used network management software made by SolarWinds, a Texas-headquartered IT firm, in order to breach government networks.
As many as 18,000 SolarWinds Orion customers downloaded a software update that contained a backdoor, which the hackers used to gain access to the networks.
CISA issued an “Emergency Directive” this week instructing federal civilian agencies to “immediately disconnect or power down affected SolarWinds Orion products from their network.”
But the perpetrators may have used other means to access the networks. CISA said Thursday that is investigating “evidence of additional access vectors, other than the SolarWinds Orion platform.”
Microsoft customers targeted
Like with the cyberattack of SolarWinds, hackers infiltrated Microsoft products and then went after others, Reuters said, citing people familiar with the matter.
Microsoft said that more than 40 organizations it holds as customers were targeted and compromised in the attack.
“While roughly 80% of these customers are located in the United States, this work so far has also identified victims in seven additional countries,” wrote Microsoft President Brad Smith in a blog.
“This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. It’s certain that the number and location of victims will keep growing.”
Smith added that “this is not espionage as usual” and “while governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy.”
U.S. President-elect Joe Biden pledged Thursday to make cybersecurity a key area of focus for his administration.
“A good defense isn’t enough; We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Biden said in a statement issued by his transition team.
“We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation.”