The office of the US Director of National Intelligence said the group behind a string of hacks on American federal agencies that was identified last month was probably Russian in origin.
Intelligence gathering appeared to be the hackers’ goal rather than any destructive act, it said in a statement with the FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency.
The offices said they had identified fewer than 10 agencies that were hacked and that the perpetrator, probably Russian in origin, was responsible for most or all of the recently discovered ongoing cyber compromises of both government and non-governmental networks. Their investigation is continuing, they said, and could uncover more security breaches.
It was the first formal statement of attribution by the Trump administration.
Elected officials briefed on the inquiry and Secretary of State Mike Pompeo had previously said Russia was behind the hacking spree, but President Donald Trump said it could have been China.
The incoming administration of Joe Biden has already promised a response to the SolarWinds hacks. On Tuesday, the top Democrats on the Congressional intelligence committees underscored that need.
“Congress will need to conduct a comprehensive review of the circumstances leading to this compromise, assess the deficiencies in our defences, take stock of the sufficiency of our response in order to prevent this from happening again, and ensure that we respond appropriately,” said Adam Schiff, head of the House committee.
Russian officials denied involvement and did not immediately respond to questions on Tuesday.
The penetration of departments including Defence, State, Homeland Security, Treasury, and Commerce is already considered to be the worst known breach of cyber-security since electronic dossiers on most Americans with security clearance were taken from the Office of Personnel Management five years ago.
Officials briefed on the case said the main target of the hackers appeared to be email. One said no classified network seemed to have been breached and that fewer than 50 private companies had been fully compromised, a smaller number than initially feared.
The security company FireEye Inc, which was itself hacked, discovered the new round of attacks, many of which were traced to a tainted software update from SolarWinds Corp, which makes widely used network-management programs.
It remains unknown how the hackers got deep inside SolarWinds’ production system as long as a year ago. But once there, they were able to slip “back doors” into two digitally signed updates of the company’s flagship Orion software.
As many as 18,000 customers downloaded those updates, which sent signals back to the hackers. At a small number of high-value targets, the group then manipulated access to cloud services to read emails or other content and potentially installed other back doors, making clean-up after discovery a daunting task.
A few major technology companies said they had at least downloaded the bad code from SolarWinds. Microsoft Corp said on December 31 the penetration had gone well beyond that, enabling the intruders to view its prized source code and look for security flaws.
The attackers also hacked sellers of Microsoft services, which often maintain access to customers, to go after email at non-SolarWinds customers, said security company CrowdStrike Holdings Inc and Microsoft employees.
Microsoft and federal investigators have not said how many resellers were hacked or how many customers were affected.