Updated at 6 a.m. ET
Russian hackers working for the Kremlin are believed to be behind an attack into U.S. government computer systems at the departments of Treasury and Commerce that likely lasted months, according to reports Sunday.
The Kremlin has denied the allegation.
A spokesman for the National Security Council, John Ullyot, appeared to broadly confirm the breach, but offered no specifics about which country may have been involved.
“We have been working closely with our agency partners regarding recently discovered activity on government networks,” Ullyot said in a statement Sunday. “The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation.”
Microsoft said in a blog post late Sunday, “We believe this is nation-state activity at significant scale, aimed at both the government and private sector.”
Representatives from the two departments that were targeted did not immediately respond to NPR’s request for comment.
Speaking in Moscow on Friday, Kremlin spokesman Dmitry Peskov dismissed the allegations.
“Once again, I can reject these accusations and once again I want to remind you that it was President (Vladimir) Putin who proposed that the American side agree and conclude agreements (with Russia) on cyber security,” Peskov said, adding that Washington had ignored the offer.
“As for the rest, if there have been attacks for many months, and the Americans could not do anything about it, it is probably not worth immediately groundlessly blaming the Russians. We didn’t have anything to do with it,” he said.
The hackers are believed to have gotten into the government systems by tampering with software updates from the IT company SolarWinds. The company has government contracts, including with the military and intelligence services, according to Reuters. The attackers are believed to have used a “supply chain attack” method that embeds malicious code into legitimate software updates. The attack focused on the SolarWinds Orion products.
SolarWinds said in a statement that it was aware of its systems experiencing a “highly sophisticated, manual supply chain attack” on specific versions of its Orion platform software released between March and June of this year.
“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” the company said.
SolarWinds advised users to update to a newer version as soon as possible.
Members of the National Security Council, the Department of Homeland Security, and the FBI are investigating the breach and whether other government systems could have been hacked as well.
Overnight, the Cybersecurity and Infrastructure Security Agency (CISA), which is overseen by the Department of Homeland Security, issued an emergency directive calling on all federal civilian agencies to review their networks for signs of the compromise and to disconnect from SolarWinds Orion products immediately.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales in a statement. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
The agency said in its directive that, “Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available.”
News of the breach comes less than a week after an attack into FireEye, a major U.S. cybersecurity company, was made public. The hackers in that attack, also believed to be Russians, stole the company’s key tools used to test vulnerabilities in the computer networks of its customers, which include government agencies.
If government officials are able to confirm the Russian government as the source of the attack, it would be considered the biggest theft of U.S. government data since a breach in 2014 and 2015, the Times reports.
During those earlier breaches, Russian intelligence has been blamed for accessing unclassified email systems at the White House, State Department and the Joint Chiefs of Staff. Russian actors are also responsible for the 2016 hacking of emails from the Democratic National Committee and Hillary Clinton’s presidential campaign. Moscow also denied these earlier allegations.
NPR’s National Security Correspondent Greg Myre contributed to this report.