Extra hacking assaults discovered, officers warn of threat to the US authorities


WASHINGTON – Federal officials issued an urgent warning Thursday that hackers believed by American intelligence services to work for the Kremlin were using a far greater variety of tools than previously known to break into government systems, calling the cyber offensive "a serious one." Risk to the federal government. ”

The discovery suggests that the hacking that now appears to have expanded to include the Department of Energy's agency that designs nuclear weapons and the federal agency that protects the country's power grids, the challenge for federal investigators to search computer networks, trying to assess the damage made much more difficult and understand the scope of what had been stolen. A key question is whether access to espionage attacks could go beyond espionage.

Although the government's warning gave no specific indication of the origin of the hacking, intelligence agencies have told Congress that they believe this was carried out by the S.V.R., an elite Russian intelligence agency.

Minutes after the Department of Homeland Security's cybersecurity division made a statement, President-elect Joseph R. Biden Jr. made a strong statement – especially when compared to Mr Trump, who said nothing about the attacks. Mr Biden warned that his administration would impose "significant costs" on those responsible.

"A good defense is not enough. We need to disrupt and prevent our adversaries from carrying out primarily significant cyberattacks," said Biden, adding, "I will not stand idly by in the face of cyberattacks on our nation."

The government warning issued by the Agency for Cybersecurity and Infrastructure Security did not provide details of the new avenues in government systems it had discovered. But it confirmed suspicions that FireEye, a cybersecurity firm, had voiced this week that there were almost certainly other avenues the attackers had found to get into both the government and private networks of which the day-to-day business of the United States depends.

FireEye was the first to inform the government that the suspected Russian hackers had been infecting the regular software updates from a company called SolarWinds, which makes critical network monitoring software used by the government, hundreds of Fortune 500 companies and corporations, since at least March is used to monitor the critical infrastructure including the power grid.

Investigators and other officials believe that the target of the Russian attack was traditional espionage, such as that which the National Security Agency and other agencies regularly operate on foreign networks. However, the extent and depth of the hacking raises concerns that hackers could ultimately use their access to shut down American systems, damage or destroy data, or take command of computer systems running industrial processes. So far, however, there has been no evidence of this.

The warning was a clear sign of a new sense of urgency by the government. After downplaying the episode – in addition to Mr. Trump's silence, Secretary of State Mike Pompeo distracted the hacking as one of the many daily attacks on the federal government, suggesting China was the biggest offender – the government's new warning left no doubt about it had changed.

"This adversary has demonstrated its ability to leverage software supply chains and has extensive knowledge of Windows networks," the warning said.

"It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures" that "have not yet been discovered".

"Taken together, these observed techniques indicate an adversary who has knowledge, is not familiar with operational safety and is willing to devote significant resources to maintaining the covert presence," the warning reads. As a result, investigators say it could take months to find out the extent to which American networks have been compromised.

Officials say the Trump administration plans, with just one month left in office, to simply turn in what appears to be what appears to be the largest federal cybersecurity breach in more than two decades.

Mr Biden's statement said he directed his transition team to learn as much as possible about "what appears to be a massive cybersecurity breach that may affect thousands of victims".

"I want to be clear: my administration will make cybersecurity a top priority at all levels of government – and we will make dealing with this breach a top priority from the time we take office," said Biden, adding that he plans to do so. impose substantial costs ”.

The Cybersecurity and Infrastructure Security Agency warning came days after Microsoft, which makes Windows software and monitors the global network of computers using Windows, partnered with FireEye to take immediate action to block communication between the SolarWinds network management software and a command and control center, which the Russians used to send instructions to their malware using a so-called kill switch.

That precluded further intrusion. However, this is of no help to organizations that have already got inside because the first software was corrupted in March. And the key line in the warning said that the SolarWinds compromise in the supply chain is not the only initial infection vector used to get into federal systems. This suggests that other software, also used by the government, has been infected and used to access foreign spies.

Forensic investigators in all federal agencies, the private sector, and the utilities that oversee the power grid are still trying to uncover the extent of the compromise. But security teams say the relief some felt that they were not using the compromised systems panicked Thursday when they learned that other third-party applications may have been compromised.

Two security experts working with utility companies said that as a precautionary measure, companies shut down third-party applications that have deep access to operating systems and scan their code for signs of compromise. To date, however, it is not clear whether the network operators have been compromised by the hackers.

In an interview this week, FireEye officials said they believed the actual number of targets could be limited to "dozen" of the 18,000 organizations using the SolarWinds software. However, after Thursday's warning about other Russian entry points, security experts expect the number of victims to rise.

David E. Sanger reported from Washington and Nicole Perlroth from Palo Alto, California.