Emboldened, the same group of hackers went on to invade the systems of the Democratic National Committee and top officials in Hillary Clinton’s campaign, touching off investigations and fears that permeated both the 2016 and 2020 contests. Another, more disruptive Russian intelligence agency, the G.R.U., is believed to be responsible for then making public the hacked emails at the D.N.C.
“There appear to be many victims of this campaign, in government as well as the private sector,” said Dmitri Alperovitch, the chairman of Silverado Policy Accelerator, a geopolitical think tank, who was the co-founder of CrowdStrike, a cybersecurity firm that helped find the Russians in the Democratic National Committee systems four years ago. “Not unlike what we had seen in 2014-2015 from this actor, when they ran a massive campaign and successfully compromised numerous victims.”
Russia has been one of several countries that have also been hacking American research institutions and pharmaceutical companies. This summer, Symantec Corporation warned that a Russian ransomware group was exploiting the sudden change in American work habits because of the pandemic and were injecting code into corporate networks with a speed and breadth not previously seen.
According to private-sector investigators, the attacks on FireEye led to a broader hunt to discover where else the Russian hackers might have been able to infiltrate both federal and private networks. FireEye provided some key pieces of computer code to the N.S.A. and to Microsoft, officials said, which went hunting for similar attacks on federal systems. That led to the emergency warning last week.
The Russian Embassy in Washington denied on Sunday night that Moscow had engaged in any hacking against the United States government. Russia, the embassy said in a statement, “does not conduct offensive operations in the cyber domain.”
Most hacks involve stealing user names and passwords, but this was far more sophisticated. Once they were in the SolarWinds network management software, the Russians, investigators said, were able to insert counterfeit “tokens,” essentially electronic indicators that provide an assurance to Microsoft, Google or other providers about the identity of the computer system its email systems are talking to. By using a flaw that is extraordinarily difficult to detect, the hackers were able to trick the system and gain access, undetected.
It is unclear exactly what they extracted; the situation is reminiscent of the Chinese hack of the Office of Personnel Management, which went on for a year in 2014 and 2015, with the loss eventually tallied at more than 22 million security-clearance files and more than five million fingerprints.