Suspected Russian Hack Went Undetected for Months

As early as March of this year, customers of SolarWinds Inc., a U.S. network-management company, began unwittingly installing malicious software as part of a routine and seemingly benign update issued for a software product known as Orion, according to the company.

That update, which would have been especially difficult to identify as a threat, contained what investigators called a back door that could have granted easy access to nearly 18,000 entities that downloaded it. Investigators expect the number of fully compromised victims to be smaller, perhaps totaling hundreds.

Both the U.S. Commerce and Treasury departments had some of their systems compromised in the breach, according to officials and people familiar with the continuing investigation.

On Monday the list of known impacted agencies grew substantially. The Department of Homeland Security, the National Institutes of Health and the State Department were all hacked as well, people familiar with the matter said.

All three agencies declined to comment about their breaches. The Washington Post first reported the intrusions at the NIH and the State Department late Monday.

The hacks identified so far appear to be a fraction of the total number of federal and private networks that were compromised by Russian spies intent on monitoring internal communications.

National security agencies and defense contractors also were among those breached as part of the espionage campaign, according to a person familiar with the continuing investigation. The person and others briefed on the matter said the breach could amount to one of the most significant national security failures in years.

Russia’s foreign-intelligence service is suspected of being responsible.The same group has been linked to cyber espionage campaigns in the past, including an intrusion of multiple agencies, including the State Department and White House, during the Obama administration.

The Russian Embassy in Washington denied responsibility and said the allegations were “unfounded attempts of the U.S. media to blame Russia.”

Investigators were still working to assess the overall fallout. In a Securities and Exchange Commission filing about the hack on Monday, SolarWinds said it had notified 33,000 customers about the intrusion, and that it believes the number of customers that installed a hijacked Orion update between March and June of this year was fewer than 18,000.

The attack on SolarWinds appeared to grant hackers potential access to an extensive list of the most coveted computer systems that would be of interest to a foreign adversary. The company holds contracts with all five branches of the military and several national security agencies as well as major defense contractors like Lockheed Martin Corp. and more than 400 of the Fortune 500 companies.

SolarWinds is working with FireEye, a major U.S-based cybersecurity firm, and the intelligence community and law enforcement on an investigation, a spokesman said.

It couldn’t be learned how SolarWinds itself was hacked. The company said in its SEC filing that its Microsoft Office 365 email systems had been compromised and that this incident “may have provided access to other data contained in the company’s office productivity tools.” In a Sunday blog post, Microsoft said that it hadn’t identified any vulnerabilities in its products as a result of its investigation into the incident.

FireEye last week provided a vague description of a hack that it said was the work of a capable foreign government, though it hasn’t said publicly which nation it believes is responsible.

The wider contours of the suspected Russian cyber espionage campaign—including the breaches of government agencies—began coming into focus over the weekend, as the details of the FireEye hack allowed those in the administration and across the government to review their systems for possible intrusion, the people familiar with the matter said.

The damage isn’t limited to the U.S. FireEye has so far seen customers compromised across the globe—in North America, Europe, Asia and the Middle East—and across a range of sectors including telecommunications, tech, health care, automotive, energy and government, a person familiar with the company investigation said.

As a sign of the severity of the threat, the Cybersecurity and Infrastructure Security Agency, a part of the Department of Homeland Security that helps government and businesses address cyberattacks, issued a rare emergency directive on Sunday. The agency instructed all federal civilian agencies to review their networks for possible compromise and immediately shut down the use of SolarWinds Orion products.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said Brandon Wales, CISA’s acting director.

Merely uninstalling SolarWinds will not eliminate the threat, officials and investigators said, and purging the suspected Russians from internal systems could be especially difficult because they placed a premium on operating quietly and avoided detection in other networks until the FireEye intrusion. “These guys are exceedingly stealthy and able to avoid efforts to root them out,” a person familiar with the matter said. “It will be an uphill battle. I have never seen anything like this.”

According to a review of federal procurement records, the Pentagon and multiple branches of the armed services, including the Army and Navy, have purchased and installed the Orion product. So have the Department of Veterans Affairs and the National Institutes of Health, both agencies that are involved in the response to the coronavirus pandemic.

“The VA is looking into this issue and has not detected any breaches,” said Christina Noel, spokeswoman for the VA. “However, we are taking SolarWinds offline out of an abundance of caution.”

In a radio interview Monday, Secretary of State Mike Pompeo appeared to acknowledge Russia’s involvement in the hack and vowed that the Trump administration would work to protect sensitive information from falling into the wrong hands.

“I can’t say much other than it’s been a consistent effort of the Russians to try and get into American servers, not only those of government agencies but of businesses,” Mr. Pompeo said. “It is an ongoing battle, an ongoing struggle to keep our systems safe, and I’m very confident the United States government will keep our classified information out of the hands of these bad actors.”

Sen. Ron Wyden (D., Ore.), a Senate Intelligence Committee member, said that if reports of the hack were true, the U.S. “has suffered a massive national security failure that could have ramifications for years to come.”

Mr. Wyden said he was pushing the administration to detail the full scope of the breach and explain steps being taken to minimize damage. “I fear that the damage is far more significant than currently known,” he said.

Sen. Angus King, an independent from Maine who caucuses with the Democrats, said the hack was especially concerning because it came little more than a month before President-elect Joe Biden would take office.

“A moment of transition is a moment of vulnerability,” Mr. King said.

Mr. King, who also serves on the intelligence panel, said he hadn’t been briefed on the hack yet but that if Russia was confirmed to be responsible, it would show the federal government remains ill-equipped to respond to nation-state cyberattacks.

Russian President Vladimir Putin “doesn’t have the resources to compete with us with conventional weapons, but he can hire about 8,000 hackers for the price of one jet fighter,” Mr. King said. “We just learned the damage those hackers can do, if it is indeed Russia.”

—Ben Kesling contributed to this article.

Write to Dustin Volz at [email protected] and Robert McMillan at [email protected]