WASHINGTON — Federal officials issued an urgent warning Thursday that the hackers who had penetrated deep into government systems also used other malware — and different attack techniques — that posed “a grave risk to the federal government.”
The warning, from the Department of Homeland Security’s cybersecurity arm, gave no details. But it confirmed suspicions voiced earlier this week by FireEye, a cybersecurity firm, that there were almost certainly other pathways that had been found for attack.
FireEye was the first to inform the government that a Russian intelligence agency’s hackers had, since this spring, gotten into critical network monitoring software used by the government and hundreds of Fortune 500 companies.
The discovery vastly complicates the challenge for federal investigators as they search through computer networks used by the Treasury, the Defense Department, the Commerce Department and nuclear laboratories, trying to assess the damage and understand what the hackers had stolen. It suggests that other software in the “supply chain” used by government agencies and companies are similarly corrupted, though it appears that investigators do not have a comprehensive list.
But it also raises the possibility that the goal of the hackers went beyond espionage, and that the Russian actors, once inside the systems, could alter data or use their access to take command of computer systems that run industrial processes. So far, though, there has been no evidence of that happening.
The alert also ramped up the urgency of government warnings. After playing the incident down — President Trump has said nothing and Secretary of State Mike Pompeo deflected the hacking as one of the many daily attacks on the federal government, suggesting China was the biggest offender — the new alert left no doubt the assessment had changed.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said. “It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures,” which, it said, “have not yet been discovered.”
“Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,” the warning said. As a result, it could take months, investigators say, to unravel the extent to which American networks are compromised.
The warning came just days after Microsoft, which produces Windows software and monitors the global network of computers that make use of Windows, took emergency action along with FireEye to halt the communication between the SolarWinds network management software and a command-and-control center that the Russians were using to send instructions to their malware.
That shut off further penetration. But it is of no help to organizations that have already been penetrated, since the first software was corrupted with malware in March. And the key line in the warning said that the SolarWinds “supply chain compromise is not the only initial infection vector” that was used to get into federal systems. That suggests other software, also used by the government, has been infected and used for access by foreign spies.
This is a developing story. Check back for updates.