The US government’s probe into the devastating SolarWinds breach is likely to take “several months” at least, according to the top White House cybersecurity official, speaking to reporters Wednesday in the Biden administration’s first public assessment of the gravity of the suspected Russian spying campaign.
At least nine federal agencies were specifically targeted by the hacking operation, said Anne Neuberger, deputy national security adviser, at Wednesday’s White House press briefing. At least 100 private-sector businesses were also compromised.
Those figures are the most specific yet to be released by the government about the scope and scale of the hack, though they are largely unchanged from prior statements by investigators. Until today, US officials had said fewer than 10 federal agencies had been implicated in the campaign.
Neuberger’s remarks come amid questions from US lawmakers and policy analysts over who in the Biden administration is leading the government’s response to the hack, particularly as key roles remain unfilled – including the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the national cyber director, a position newly created by Congress last month.
Neuberger’s brief address highlighted how the Biden administration is still trying to get its arms around the devastating breach. She said she has been in frequent discussions with lawmakers on the matter, and promised forthcoming executive action to address the security gaps the investigation has revealed so far. The executive action could include at least eight provisions, she said, without disclosing specifics.
As many as 18,000 of SolarWinds’ customers may have been unwittingly affected by a software vulnerability that foreign hackers quietly slipped into the company’s normal software updates, investigators have previously said.
That vulnerability gave the hackers an opening to launch highly customized, follow-up attacks intended to compromise specific targets of interest. CNN has previously reported that the Departments of Agriculture, Commerce, Energy, Homeland Security, Justice, Treasury and State were all affected by the hack. In addition, CNN has reported that the federal judiciary and the US Postal Service are investigating whether they may have been compromised.
It remains unclear what data the hackers may have accessed, though the Justice Department has said that roughly 3% of its Microsoft email accounts had been breached, in the most detailed account yet of the damage.
The federal agency victims were all of “high foreign intelligence interest,” Neuberger told reporters.
She declined to provide a time frame for the administration’s response to the hack.
“Due to the sophistication of the techniques that were used, we believe we’re in the beginning stages of understanding the scope and scale, and we may find additional compromises,” Neuberger said.
What’s already known about the scope and scale of the spying, however, makes the Russian campaign “more than an isolated case of espionage,” Neuberger said.
Last month, White House Press Secretary Jen Psaki said the administration will “reserve the right to respond at a time and in a manner of our choosing to any cyberattack.”
This story has been updated with additional details Wednesday.