Hacking ‘Likely’ Came From Russia, U.S. Says in Belated Statement

The operation is “ongoing” nearly a month after it was uncovered, according to four government agencies that described the hacking as an intelligence-gathering effort.

American intelligence agencies formally named Russia as the “likely” source of the broad hacking of the United States government and private companies, and declared that the operation was “ongoing” nearly a month after it was discovered.

The statement jointly issued Tuesday by four government agencies was a clear rebuke of President Trump’s efforts, in posts on Twitter, to suggest that China was behind the hacking. Inside the intelligence agencies, there are few doubts that Russia is responsible. There has been no information gathered pointing to China, according to people briefed on the material.

The statement also underscored the degree to which American intelligence agencies are still playing catch-up, after being alerted in mid-December by private security firms to the broadest and deepest penetration of American computer networks in recent times. The intelligence agencies have concluded with a high degree of confidence that Russia was responsible for the hacking, according to people briefed on the analysis.

The statement is as definitive a blaming of Russia as the United States has yet made, and echoed the early statements in 2016 about the Kremlin’s interference in that year’s election. It took several additional months in that case for intelligence agencies to link the attacks back to orders given by President Vladimir V. Putin.

Mr. Putin and his lead intelligence agency, the S.V.R., were not mentioned in the statement issued Tuesday. But the broad conclusion that Russia was the likely source of the penetration of American systems had already been announced by Secretary of State Mike Pompeo and the attorney general at the time, William P. Barr.

Tuesday’s statement was carefully worded, in a nod to Mr. Trump’s personal skepticism of Russian culpability. But however judicious in its language, the formal conclusion sets the stage for retaliation, most likely by President-elect Joseph R. Biden Jr. after he takes office. Mr. Biden, unlike Mr. Trump, has declared that whoever was behind the operation would pay a steep price.

A top Democratic lawmaker, Senator Mark Warner of Virginia, criticized the statement for coming far too slowly, and too tentatively, adding that he wanted to see a stronger administration policy against such foreign infiltration.

“It’s unfortunate that it has taken over three weeks after the revelation of an intrusion this significant for this administration to finally issue a tentative attribution,” said Mr. Warner, the vice chairman of the Senate Intelligence Committee. “We need to make clear to Russia that any misuse of compromised networks to produce destructive or harmful effects is unacceptable and will prompt an appropriately strong response.”

The joint agency statement said that a still unidentified cyberactor, most “likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cybercompromises of both government and nongovernmental networks.”

It added: “At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”

The various agencies have created ad hoc working groups to deal with the hacking, but the task force’s creation is an acknowledgment that getting a handle on the full scope of the hacking will take time and is beyond the abilities of any single government agency.

While computers at many agencies were infected with the back door giving access, the Russian intelligence agencies were clearly judicious in which of those doors they opened and what information they stole, complicating the investigation of what material was taken.

The task force, officials say, will help the Department of Homeland Security, the F.B.I. and the National Security Agency better and more quickly share information.

But it does not assure that those agencies, which were clueless as the Russians began the operation in late 2019, and accelerated it last March, will solve the central question: Were the Russians seeking to do more than merely steal secrets?

The part of the hacking that the government understands best involved a Russian effort to get into the code of a program called Orion, produced by a Texas firm named SolarWinds. Orion is used to manage complex networks, and is used by the Treasury, Commerce and Energy Departments, and other government agencies. The statement on Tuesday said there was evidence that “fewer than 10” United States government agencies were “compromised by follow-on activity on their systems,” meaning the Russians chose to burrow deeper into their networks.

In total, 18,000 entities — mostly private corporations — used the compromised Orion system. While estimates vary, the latest thinking is that about 250 of those were selected by the Russians for deeper hacks.

To accomplish that goal, the Russian hackers set up command-and-control networks inside the United States, where the hacking activity could be directed. By running those command and control systems domestically, they evaded some of the sensors set up by the National Security Agency, one of the nation’s largest collectors of foreign signals intelligence. The agency is prohibited from operating inside the United States.

In addition to trying to get a deeper understanding on what the Russian spies took, the task force will also examine what is needed to fix existing computer networks and to ensure no other vulnerabilities remain in government networks. The task force will also begin the process of trying to put new procedures in place to try to prevent similar vulnerabilities from being exploited by adversarial powers.

Representative Adam B. Schiff, Democrat of California and the chairman of the House Intelligence Committee, said in a statement that Congress would conduct detailed investigations.

“It’s clear from the scale of this compromise that we have a lot of work to do to harden our defenses, shore up the government’s cybersecurity practices, improve the quality of intelligence collection on cyberthreat actors and increase cooperation, both within government and with the private sector to identify, fix and defend against these threats,” he said.

The characterization of the intrusion as an “intelligence gathering effort” is significant because it shows there is no indication yet that the Russians had planted malware in American systems that is intended to cause disruptions to power grids or alter data in government or private databases.

But in interviews over the past two weeks, both government and private officials have said they are still discovering the scope of the intrusions, and it may take months to figure out whether Russia or others may make more malicious use of “back doors” they placed in the systems.

The statement by the office of the director of national intelligence, the National Security Agency, the F.B.I. and the Department of Homeland Security appeared very similar in wording to one the White House was preparing to release nearly two weeks ago. But it was pulled back after Mr. Trump erupted at his intelligence briefers and said they had no evidence to link the action to Russia.

Mr. Trump has not addressed the hack, which happened on his watch, apart from one series of tweets that suggested any alarm was the work of the news media. Mr. Biden, in contrast, has suggested that Mr. Trump is ignoring a major threat to national security, and said that once in office he may seek “in kind” retaliation — though that could be difficult, since the United States is far more vulnerable to network attacks than is Russia.

Mr. Biden has acknowledged that the government he is inheriting in a little more than two weeks is riddled with so many intrusions in its systems that trusting the integrity of the systems on which the government runs will be next to impossible.

“I don’t know what the state of them is,” Mr. Biden said. “They’re clearly not safe right now.”

The joint statement on Tuesday announced the creation of a task force of officials from the F.B.I., Cybersecurity and Infrastructure Security Agency and intelligence agencies, to be known as the Cyber Unified Coordination Group.

Home / Articles / Hacking ‘Likely’ Came From Russia, U.S. Says in Belated Statement