Despite these initial indicators, the huge scope of the espionage campaign and its refinement became clear only last week, after the elite cyber security company FireEye revealed a devastating data breach in its own network.
The early detection of the US government, which was not previously reported, did not provide conclusive evidence that government networks were compromised, but it was enough to worry senior cybersecurity officials that there are potential vulnerabilities.
The revelation illustrates how a select few in the top corners of the government faced early warning signs of mass piracy – and launched a months-long investigation that eventually uncovered links to the devastating and sophisticated espionage operation. which shook Washington this week.
It is known that at least half a dozen federal agencies have been targeted, including the cyber arm of the Department of Homeland Security and the Departments of Agriculture, Commerce, Energy and State.
Investigators are still trying to determine what government data, if any, could have been accessed or stolen in the hack. The indicators identified during the early detection efforts did not reveal evidence of a classified data breach, two sources told CNN.
Two sources described the suspicious activity detected a few months ago as a “persistent backdoor-activated threat”, consistent with the ongoing hacking effort unveiled this week, and added that there is still no indication that hackers accessed classified systems or information. .
At the time, officials investigating the activity could not associate it with specific IT management software that had been identified as a source of infection in other agencies.
The National Security Agency did not respond to CNN’s request for comment. US CyberCommand declined to comment.
Secretary of State Mike Pompeo said on Friday that the cyber attack on US federal government agencies “was a very significant effort and I think it is now clear that the Russians were the ones who got involved.”
“I can’t say much more, as we continue to unpack exactly what it is and I’m sure some of them will remain classified,” Pompeo said in an interview with The Mark Levin Show.
“But suffice it to say, there has been a significant effort to use some third-party software to essentially incorporate the code into U.S. government systems and, it seems, into the systems of private companies and companies and governments around the world. “
Much of the federal government has learned only about one of the worst cyber security incidents in the country from public reports and disclosures from private companies.
On December 8, FireEye revealed that it was the target of a sophisticated, probably state-sponsored espionage attempt, and that several of its own hacking tools had been stolen.
Then, on December 13, Reuters reported for the first time that the Commerce and Treasury Departments had been hit by hackers. The Commerce Department soon confirmed a security incident.
That same evening, FireEye said it identified the source of its own intrusion: malware hidden in legitimate software updates published by a widely used IT management firm known as SolarWinds.
Malware updates have been distributed to up to 18,000 SolarWinds customers, including U.S. government agencies and Fortune 500 companies. The announcement has sparked a crazy fight by federal agencies to determine if infected software has been installed on their networks.
The cybersecurity agency of the Department of Homeland Security, the Cybersecurity and Infrastructure Agency, issued an emergency directive – only the fifth in its five-year history – instructing all federal agencies to review their systems and shut down any affected SolarWinds installations. CISA did not immediately respond to a request for comment.
CISA has quickly become a key figure in the U.S. government’s response, holding several conference calls this week with federal, state and local officials, as well as private sector leaders, according to Daniel Dister, the state’s chief intelligence officer. New Hampshire, who participated in the calls.
CISA has provided entertainment with information to a wide range of responsive audiences, Dister said. But other security experts say that what the public is asking for CISA far exceeds the support it has given it.
“It should be the federal agency that helps the federal government with cybersecurity,” said Robert Lee, CEO of cybersecurity firm Dragos. “But what they did and what the Congress asked of them is to be partners with the industry, to offer services and free penetration tests. It was never something they were set up or structured to do and there were never resources to do. broadly.”
The task on CISA to investigate the hack is likely to increase only as the evidence relates to a multi-directional campaign of alleged Russian hackers.
“SolarWinds wasn’t the only way. It would be weird for any player with this ability to rely on a single input method,” John Hultquist, chief analyst at FireEye.
CISA warned on Thursday that it had found evidence of other forms of compromise, but refused to elaborate other than citing the research of an external security firm.
This story has been updated with additional information.
CORRECTION: An earlier version of this story failed John Hultquist’s title on FireEye. He is the principal director of information analysis.
Contributed by Jeremy Herb, Jim Sciutto, Alex Marquardt and Jenny Hansler.