Secretary of State Mike Pompeo said Friday it was clear that Russia was behind the widespread hacking of government systems that officials this week called “a grave risk” to the United States.
Mr. Pompeo is the first member of the Trump administration to publicly link the Kremlin to the cyberattack, which used a variety of sophisticated tools to infiltrate dozens of government and private systems, including nuclear laboratories and the Pentagon, Treasury and Commerce Departments.
“I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” Mr. Pompeo said in an interview on the Mark Levin Show.
“This was a very significant effort,” he said, adding that “we’re still unpacking precisely what it is.”
President Trump has yet to address the attack, which has been underway since spring and was detected by the private sector only a few weeks ago. Until Friday, Mr. Pompeo had played down the episode as one of the many daily attacks on the federal government.
But intelligence agencies have told Congress that they believe it was carried out by the S.V.R., an elite Russian intelligence agency.
As evidence of the attack’s scope piled up this week, the Cybersecurity and Infrastructure Security Agency sent out an urgent warning on Thursday that the hackers had “demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks.”
The agency added that it was likely that some of the attackers’ tactics, techniques and procedures had “not yet been discovered.” Investigators say it could take months to unravel the extent to which American networks and the technology supply chain have been compromised.
Microsoft said it had identified 40 companies, government agencies and think tanks that the hackers had infiltrated. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms, like FireEye, that are charged with securing vast sections of the public and private sector.
“There are more nongovernmental victims than there are governmental victims, with a big focus on I.T. companies, especially in the security industry,” Brad Smith, Microsoft’s president, said in an interview on Thursday.
FireEye was the first to inform the government that the hackers had infected the periodic software updates issued by a company called SolarWinds since at least March. SolarWinds makes critical network monitoring software used by the government, hundreds of Fortune 500 companies and firms that oversee critical infrastructure, including the power grid.
The national security adviser, Robert C. O’Brien, cut short a trip to the Middle East and Europe on Tuesday and returned to Washington to run crisis meetings to assess the situation. The F.B.I., the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence formed an urgent response group, the Cyber Unified Coordination Group, to coordinate the government’s responses to what the agencies called a “significant and ongoing cybersecurity campaign.”
The Russians have denied any involvement. The Russian ambassador to the United States, Anatoly I. Antonov, said Wednesday that there were “unfounded attempts by the U.S. media to blame Russia” for the recent cyberattacks.
According to a person briefed on the attack, the S.V.R. hackers sought to hide their tracks by using American internet addresses that allowed them to conduct attacks from computers in the very city — or appearing so — in which their victims were based. They created special bits of code intended to avoid detection by American warning systems and timed their intrusions not to raise suspicions.
The attacks, said the person briefed on the matter, shows that the weak point for the American government computer networks remains administrative systems, particularly ones that have a number of private companies working under contract.
President-elect Joseph R. Biden Jr. said Thursday that his administration would impose “substantial costs” on those responsible.
“A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Mr. Biden said, adding, “I will not stand idly by in the face of cyberassaults on our nation.”
Investigators and other officials say they believe the goal of the Russian attack was traditional espionage, the sort the National Security Agency and other agencies regularly conduct on foreign networks. But the extent and depth of the hacking raise concerns that hackers could ultimately use their access to shutter American systems, corrupt or destroy data, or take command of computer systems that run industrial processes. So far, though, there has been no evidence of that happening.
Across federal agencies, the private sector and the utility companies that oversee the power grid, forensic investigators were still trying to unravel the extent of the compromise. But security teams say the relief some felt that they did not use the compromised systems turned to panic on Thursday, as they learned other third-party applications may have been compromised.
Inside federal agencies and the private sector, investigators say they have been stymied by classifications and a siloed approach to information sharing.
“We have forgotten the lessons of 9/11,” Mr. Smith said. “It has not been a great week for information sharing and it turns companies like Microsoft into a sheep dog trying to get these federal agencies to come together into a single place and share what they know.”
Reporting was contributed by David E. Sanger, Nicole Perlroth, Eric Schmitt and Julian Barnes.