The US Energy Department also said it has evidence hackers gained access to its networks as part of the campaign. US news site Politico had earlier reported the National Nuclear Security Administration, which manages the country’s nuclear weapons stockpile, was targeted.
An Energy Department spokeswoman denied this, saying malware “has been isolated to business networks only” and has not impacted national security, including the NNSA.
Echoing the government’s warning, Microsoft said Thursday that it had identified 40 companies, at a minimum, that had data stolen by suspected Russian hackers. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms, such as FireEye, that are charged with securing vast sections of the public and private sector.
“It’s still early days, but we have already identified 40 victims — more than anyone else has stated so far — and believe that number should rise substantially,” Brad Smith, Microsoft’s president, said in an interview on Thursday. “There are more non-governmental victims than there are governmental victims, with a big focus on IT companies, especially in the security industry.”
After playing down the episode — in addition to Trump’s silence, Secretary of State Mike Pompeo deflected the hacking as one of the many daily attacks on the federal government, suggesting China was the biggest offender — the new government alert left no doubt the assessment had changed.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said.
“It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures,” which, it said, “have not yet been discovered”.
Officials say that with only one month left in its tenure, the Trump administration is planning to simply hand off what appears to be the biggest cybersecurity breach of federal networks in more than two decades.
Biden’s statement said he had instructed his transition team to learn as much as possible about “what appears to be a massive cybersecurity breach affecting potentially thousands of victims”.
“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Biden said, adding that he plans to impose “substantial costs on those responsible”.
Officials have yet to publicly name the attacker responsible, but intelligence agencies have told Congress that they believe it was carried out by the SVR, an elite Russian intelligence agency. A Microsoft “heat map” of infections shows that the vast majority — 80 per cent — are in the United States, while Russia shows no infections at all.
The government warning, issued by the Cybersecurity and Infrastructure Security Agency, did not detail the new ways that the hackers got into the government systems. But it confirmed suspicions expressed this week by FireEye, a cybersecurity firm, that there were almost certainly other ways that the attackers had found to get into networks on which the day-to-day business of the United States depend.
FireEye was the first to inform the government that the suspected Russian hackers had, since at least March, infected the periodic software updates issued by a company called SolarWinds, which makes critical network monitoring software used by the government, hundreds of Fortune 500 companies and firms that oversee critical infrastructure, including the power grid.
Investigators and other officials say they believe the goal of the Russian attack was traditional espionage, the sort the National Security Agency and other agencies regularly conduct on foreign networks. But the extent and depth of the hacking raises concerns that hackers could ultimately use their access to shutter American systems, corrupt or destroy data or take command of computer systems. So far, though, there has been no evidence of that happening.
The New York Times