Until now the administration has refrained from attributing the operation and President Trump, who has long expressed skepticism that Russia engaged in interference in the 2016 election, has not publicly addressed the issue.
Pompeo’s remarks come as government agencies and affected companies are scrambling to figure out the scope of the breaches, how the Russians carried them off without being detected for months and how to prevent future compromises.
The intrusions into federal agencies were first revealed last weekend, and with each day more agencies were discovered to have been breached. Besides the State Department, the list so far includes the Treasury, Homeland Security, Energy and Commerce Departments, as well the National Institutes of Health.
Pompeo said he could not say much more about the hacks as the investigations were ongoing.
“But suffice it to say, there was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems, and it now appears systems of private companies and companies and governments across the world as well,” he told Levin, a syndicated radio talk show host.
Pompeo did not specify which branch of the Russian government carried out the campaign, but U.S. officials have privately said they believe it is the foreign intelligence service, the SVR, which is a successor organization to the KGB.
Moscow has denied involvement.
The SVR waged a widespread cyber espionage campaign in 2014-2015 that ensnared the State Department, Pentagon Joint Chiefs of Staff and White House unclassified email networks, among other targets. The Obama administration saw that campaign, as disturbing as it was, as classic espionage of the sort that states engage in against each other, said Michael Daniel, who was Obama’s White House cyber coordinator. Officials were not aware of the thousands of other victims in the private sector and other countries, he said.
This time, the context is different. There is widespread publicity around the breaches, which could turn out to be unprecedented in scale. The nature of the compromises, involving corruption of software commonly used by large organizations around the globe, is alarming. And the public is much more attuned to Russia’s malign activity in cyberspace, in the wake of its 2016 election interference.
Thus far, there is no sign that the intrusions have resulted in disruption or destruction, and the SVR is known mostly for conducting espionage. That doesn’t mean, however, the activity is not a precursor to something beyond spying.
In any case, Pompeo’s “attribution is a very important step,” said Tom Bossert, who was Trump’s homeland security adviser until April 2018. “The United States can now direct its focus and unite the world against this outrage.”
He said the Russian government is holding American networks at risk. “We must impose a cost on the Russians,” he said. “Until we start defending digital infrastructure as if commercial and government operations depended on it, we will remain rudderless.”
Microsoft, a major software and cloud provider, alerted several federal agencies last weekend to the fact that they were breached, its president Brad Smith told The Post in an interview this week.
Smith said so far the company has notified a little more than 40 customers who were breached, and that 80 percent of them were in the United States. The others were in Canada, Mexico, Belgium, Spain, Britain, Israel and the United Arab Emirates.
Britain so far has seen only a small number of victims, all in the private sector.
On Wednesday, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert calling the hacks “a grave risk” to the federal government, as well as state and local governments, critical infrastructure entities and the private sector.
A major avenue for breaching victims’ networks was through an update for computer software made by a Texas-based company called SolarWinds. The firm said about 18,000 customers that received the patch, for network management software called Orion, were potentially exposed. The Russians covertly added malware to the update, which installed a backdoor on computers that the hackers could use to enter a victim’s system at will.
But the intruders were selective in choosing who to compromise. Not everyone who downloaded the patch was seen as an attractive target, Microsoft said.
The SolarWinds update was not the only path into victims’ networks, CISA said in its alert this week. “CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” the agency said.
Microsoft is itself a SolarWinds customer and acknowledged in a statement this week it had found SolarWinds malware “in our environment,” which it isolated and removed.
In his interview with The Post, Smith said none of Microsoft’s customers had been breached through the software giant. “I think we can give you a blanket answer that affirmatively states, no, we are not aware of any customers being attacked through Microsoft’s cloud services or any of our other services, for that matter, by this hacker.”
He said: “Lots of people have been hacked and a lot of the people that have been hacked happen to be Microsoft customers and Microsoft cloud customers. But that doesn’t mean they were hacked or attacked through the Microsoft cloud.”
Karen DeYoung contributed to this report.