The Trump administration acknowledged on Sunday that hackers acting on behalf of a foreign government — almost certainly a Russian intelligence agency, according to federal and private experts — broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.
Officials said a hunt was on to determine if other parts of the government had been victimized by what looked to be one of the most sophisticated, and perhaps among the largest, attacks on federal systems in the past five years. Several said a series of national security-related agencies were also affected, though it was not clear whether the systems contained highly classified material.
In public, the Trump administration said little about the hack, which suggested that while the government was worried about Russian intervention in the 2020 election, key agencies working for the administration — and unrelated to the election — were actually the subject of a sophisticated attack that they were unaware of until recent weeks.
“The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, the spokesman for the National Security Council, said in a statement. The Commerce Department acknowledged that one of its agencies had been targeted, without naming it, and the Department of Homeland Security’s cybersecurity agency, whose leader was fired by President Trump last month for declaring there had been no widespread election fraud, said in a statement that it had been called in as well.
The motive for the attack on the Treasury and Commerce Departments remains elusive, two people familiar with the matter said. One government official said it was too soon to tell how damaging the recent attacks were and how much material was lost.
The revelation came less than a week after the National Security Agency, which is responsible for both breaking into foreign computer networks and defending the federal government’s most sensitive national security systems, issued a warning that “Russian state-sponsored actors” were exploiting flaws in a system that is broadly used in the federal government.
At the time, the N.S.A. refused to give further details of what prompted the urgent warning. Shortly afterward, FireEye, a leading cybersecurity firm, announced that hackers working for a state had stolen some of its prized tools for finding vulnerabilities in its clients’ systems, including the federal government’s. That investigation also pointed toward S.V.R., one of Russia’s leading intelligence agencies.
If the Russia connection is confirmed, it will be the most sophisticated known theft of American government data by Moscow since a two-year spree in 2014 and 2015 in which Russian intelligence agencies gained access to the unclassified email systems at the White House, the State Department and the Joint Chiefs of Staff. It took years to undo the damage, but President Barack Obama decided at the time not to name the Russians as the perpetrators — a move that many in his administration now regard as a mistake.
Emboldened, the same group of hackers went on to hack the systems of the Democratic National Committee and top officials in Hillary Clinton’s campaign, touching off investigations and fears that permeated the 2020 contest.
“There appear to be many victims of this campaign, in government as well as the private sector,” said Dmitri Alperovitch, the chairman of Silverado Policy Accelerator, a geopolitical think tank, who was the co-founder of CrowdStrike, a cybersecurity firm that helped find the Russians in the Democratic National Committee systems four years ago. “Not unlike what we had seen in 2014-2015 from this actor, when they ran a massive campaign and successfully compromised numerous victims.”
According to private-sector investigators, the attacks on FireEye led to a broader hunt to discover where else the Russian hackers might have been able to infiltrate federal and private networks. FireEye provided some key pieces of computer code to the N.S.A. and to Microsoft, officials said, which went hunting for similar attacks on federal systems. That led to the emergency warning last week.
Most hacks involve stealing user names and passwords, but this was far more sophisticated. It involved the creation of counterfeit tokens, essentially electronic indicators that provide an assurance to Microsoft or Google about the identity of the computer system its email systems are talking to. By using a flaw that is extraordinarily difficult to detect, the hackers were able to trick the system and gain access.
Reporting was contributed by Alan Rappeport, Maggie Haberman, Julian Barnes and Zolan Kanno-Youngs.