The global campaign, investigators now believe, involved the hackers inserting their code into periodic updates of software used to manage networks by a company called SolarWinds. Its products are widely used in corporate and federal networks, and the malware was carefully minimized to avoid detection.
If the Russia connection is confirmed, it will be the most sophisticated known theft of American government data by Moscow since a two-year spree in 2014 and 2015, in which Russian intelligence agencies gained access to the unclassified email systems at the White House, the State Department and the Joint Chiefs of Staff. It took years to undo the damage, but President Barack Obama decided at the time not to name the Russians as the perpetrators — a move that many in his administration now regard as a mistake.
Emboldened, the same group of hackers went on to invade the systems of the Democratic National Committee and top officials in Hillary Clinton’s campaign, touching off investigations and fears that permeated both the 2016 and 2020 contests. Another more disruptive Russian intelligence agency, the G.R.U., is believed to be responsible for then making public the hacked emails at the D.N.C.
“There appear to be many victims of this campaign, in government as well as the private sector,” said Dmitri Alperovitch, the chairman of Silverado Policy Accelerator, a geopolitical think tank, who was the co-founder of CrowdStrike, a cybersecurity firm that helped find the Russians in the Democratic National Committee systems four years ago. “Not unlike what we had seen in 2014-2015 from this actor, when they ran a massive campaign and successfully compromised numerous victims.”
Russia has been one of several countries that have also been hacking American research institutions and pharmaceutical companies. This summer, Symantec Corporation warned that a Russian ransomware group was exploiting the sudden change in American work habits because of the pandemic and were injecting code into corporate networks with a speed and breadth not previously seen.
According to private-sector investigators, the attacks on FireEye led to a broader hunt to discover where else the Russian hackers might have been able to infiltrate both federal and private networks. FireEye provided some key pieces of computer code to the N.S.A. and to Microsoft, officials said, which went hunting for similar attacks on federal systems. That led to the emergency warning last week.
Most hacks involve stealing user names and passwords, but this was far more sophisticated. It involved the creation of counterfeit “tokens,” essentially electronic indicators that provide an assurance to Microsoft, Google or other providers about the identity of the computer system its email systems are talking to. By using a flaw that is extraordinarily difficult to detect, the hackers were able to trick the system and gain access, undetected.