Alyza Sebenius and Jenny Leonard (Bloomberg) -- A sprawling cyber-attack that compromised popular software created by Texas-based SolarWinds Corp. was executed from within the U.S., a top White House official said, though the government believes Russia was responsible.
The federal investigation of the hack will take several months, Deputy National Security Advisor Anne Neuberger said in a briefing for reporters on Wednesday.
“As of today, nine federal agencies and about 100 private-sector companies were compromised,” Neuberger said. She didn’t identify them and said the government hasn’t ruled out the possibility of further victims.
She said the government believes it’s still at the “beginning stages” of understanding the scope and scale of the attack, which was publicly disclosed in December but was likely executed months earlier. “The hackers launched the hack from inside the United States which further made it difficult for the U.S. government to observe their activity,” she said.
Neuberger is leading the U.S. response to the SolarWinds attack. The Texas-based company’s software is used by several government agencies and Fortune 500 companies.
As many as 18,000 SolarWinds’s customers received malicious code through updates to the software, though far fewer are believed to have been targeted for further intrusions by the hackers. The targets included the federal departments of State, Treasury, Homeland Security, Commerce and Energy, including its nuclear weapons agency. The hackers used other methods to infiltrate networks besides SolarWinds, U.S. officials have said.
“Many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions,” Neuberger said.
President Joe Biden said in a Feb. 4 speech at the State Department that the U.S. has “elevated the status of cyber issues within our government.”
The U.S. “will not hesitate to raise the cost on Russia” for the Kremlin’s aggressive behavior, including cyber-attacks, Biden said in the address.