Homeland security's Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an unusual appeal for further information, asking anyone with knowledge of a breach to contact central@cisa.gov.

On Sunday evening, the agency also directed all federal agencies to disconnect SolarWinds products immediately and to report that they'd done so by noon Monday.

Spokesman Alexei Woltornist said the department was aware of reports of a breach and was investigating the matter.

The State Department, which was hacked by the same Russian spy service in 2014, declined to comment on Monday. The NIH could not be reached Monday evening for comment.

The Russian Foreign Intelligence Service, SVR, is believed to be behind the campaign, which has been running since at least the northern spring. The hackers gained access to their victims' systems through what is known as a "supply chain" attack, or taking advantage of routine software patches sent to these systems by SolarWinds, which provides network-management tools.

"It's not about quantity, it's about quality" of targets, said John Hultquist, manager of analysis at FireEye, a cyber security consultancy that also was breached this month and that discovered through its own investigation the targeting of SolarWinds.

"SolarWinds was clearly a door that they could walk through," he said. "We're shutting this door. But they're still in these organisations."

Cyber security experts described the hacks as a sophisticated bit of online spying that left few clues of intrusion into networks. Investigators at FireEye marvelled in a blog post that the meticulous tactics involved "some of the best operational security" its investigators had ever seen, using at least one piece of malicious software never previously detected.

FireEye described the victims as including "government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals."

But the potentially good news is that stealthy attackers tend to prioritise surreptitious entrances and exits, while avoiding wholesale ransacking of computer systems that could tip off defenders. Such hackers typically are more focused on covering their tracks than simply backing up a digital truck and taking everything they can.

Loading

The potentially bad news, however, is that such careful, precise attacks can be effective at gathering sensitive information over the course of months or even years. While the details of what was taken and from whom are not yet public - the agencies and companies themselves may not even know for a while - the operation dates at least as far back as March and was described as active as recently as Sunday.

That's a nine-month stretch that included - to name just a few of the important events that would have created computer files interesting to spies - the worst of the coronavirus pandemic, the historically fast development of vaccines using novel technology and the US presidential and congressional elections.

But it has been vastly less disruptive, so far, than a range of Russian efforts in 2016, when hackers from that nation penetrated state election systems, infiltrated American social media conversations with hundreds of fictitious accounts and stole sensitive emails from Democrats and dumped them online at key moments in a hotly contested presidential campaign.

The Washington Post