The US government is still in the dark over how deeply Russian hackers penetrated its networks during the worst ever cyber attack on federal agencies, members of Congress warned on Friday.
At least six government departments were breached in a likely Russian intelligence operation thought to have begun in March. Although there is no evidence that classified networks were compromised, it is not known what the hackers may have stolen or how long it will take to purge them.
Members of Congress said the government is still scrambling to understand the fallout as details emerge. “This hack was so big in scope that even our cybersecurity experts don’t have a real sense yet in the terms of the breadth of the intrusion itself,” commented Stephen Lynch, head of the House of Representatives’ oversight and reform committee, after attending a classified briefing.
Congressman Jamie Raskin, another member of the committee, added: “There’s a lot more that we don’t know than what we do know. I’m hopeful the government will learn exactly how this was perpetrated on us and what is the full scope of the damage.”
US officials say they only recently became aware of the attacks on both the government and some Fortune 500 companies in which cyber spies roamed undetected for as long as nine months.
The energy department and national nuclear security administration, which manages the country’s nuclear weapons stockpile, was among the agencies breached.
Hackers injected malicious code into the software of SolarWinds, a company that provides network services, and appeared to use other tools to gain access. America’s cybersecurity agency warned of a “grave risk” to the nation’s infrastructure.
Tech giant Microsoft, which has helped respond to the breach, said it has identified more than 40 government agencies, think tanks, non-governmental organisations and IT companies infiltrated by the hackers. Four in five were in the US – nearly half of them tech companies – with victims also in Canada, Mexico, Belgium, Spain, the UK, Israel and the United Arab Emirates.
Microsoft said in a blogpost: “This is not espionage as usual, even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”
But Donald Trump, long reluctant to criticise his Russian counterpart, Vladimir Putin, has been conspicuously silent, focused instead on overturning an election that he lost. The US president is under growing pressure to speak out about what some described as an epic national security crisis.
The Republican senator Mitt Romney, a former presidential candidate, told SiriusXM radio: “What I find most astonishing is that a cyber hack of this nature is really the modern equivalent of almost Russian bombers reportedly flying undetected over the entire country.”
Describing the country’s cyber defences as extraordinarily vulnerable and weak, Romney added: “In this setting, not to have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary.”
Trump’s absence on the issue implies that it will be left to his successor, Joe Biden, to retaliate through sanctions, criminal charges or other means. In a statement on Thursday, the president-elect said his administration “will make dealing with this breach a top priority from the moment we take office”.
The damage, however, could take years to remedy. Thomas Bossert, Trump’s former homeland security adviser, wrote this week in a New York Times column: “While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.
“The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated. But it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying.”