Federal investigators reported Thursday on evidence of previously unknown tactics for penetrating government computer networks, a development that underscores the disastrous reach of Russia’s recent intrusions and the logistical nightmare facing federal officials trying to purge intruders from key systems.

For days, it has been clear that compromised software patches distributed by a Texas-based company, SolarWinds, were central to Russian efforts to gain access to U.S. government computer systems. But Thursday’s alert from the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security said evidence suggested there was other malware used to initiate what the alert described as “a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”

While many details remained unclear, the revelation about new modes of attack raises fresh questions about the access that Russian hackers were able to gain in government and corporate systems worldwide.

“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered.”

The U.S. government has not publicly blamed Russia for the hacks, but U.S. officials speaking privately say that Russian government hackers were behind the operation. Moscow has denied involvement.

The alert cited a blog post this week from Volexity, a Reston, Va.-based cybersecurity company, about repeated intrusions into an unnamed think tank that, according to the company, took place over several years without being detected. The attackers, who are described using a pseudonym in the Volexity post, gained access to the think tank’s networks using “multiple tools, backdoors, and malware implants” and exploited a vulnerability in Microsoft’s Exchange Control Panel software, which is central to the company’s email services.

In a statement, Microsoft said, “This is an ongoing investigation into an advanced and sophisticated threat actor that has several techniques in their toolkit. We have not identified any Microsoft product or cloud service vulnerabilities in the recent attacks.”

Only the last of three separate intrusions against the think tank, in June and July, involved a corrupted patch from SolarWinds, suggesting an aggressive, persistent hacking team with sophisticated tactics at its disposal.

The Department of Energy and the National Nuclear Security Administration, which manages the country’s nuclear weapons stockpile, were also breached, officials said Thursday, joining a growing list of agencies reported in recent days to have been hacked by the Russians and that are central to U.S. national security and other core government functions. They include the State, Treasury, Commerce and Homeland Security departments, as well as the National Institutes of Health.

Politico first reported the breaches at the Energy Department and NNSA.

An Energy Department spokeswoman, Shaylyn Hynes, said that at this point, the investigation has found that the malware has been isolated to business networks and has not affected the department’s “mission essential national security functions,” including at the NNSA.

Thousands of private companies worldwide also were potentially affected, many in sensitive industries, after they uploaded software patches that were infused with malware, reportedly by Russia’s foreign intelligence service, known as the SVR.

Purging the intruders and restoring security to affected networks could take months, some experts say, because the hackers moved rapidly from the initial intrusions through the corrupted software patches to collect and deploy authentic system credentials, making discovery and remediation far more difficult. Closing the digital back doors initially created by the Russians will not suffice because they appear to have stolen keys to an unknown number of official doorways into federal and private corporate systems, according to investigators at FireEye, a cybersecurity firm that also was hacked.

On Monday, Microsoft and FireEye diverted the channel the Russians used to send commands to systems that download the corrupted patch, causing the malware to shut down. But that does not help those organizations whose networks the Russians have deeply penetrated.

The intruders into the U.S.-based think tank in each case were searching for email from particular targets, according to Steven Adair, president of Volexity. Only the Exchange vulnerability was Microsoft-related, but through it, the hackers were able to act as system administrators for the think tank’s network.

“If you can exploit it, it’s a pretty direct way into somebody’s infrastructure, with pretty high-level access,” Adair said.

Meanwhile, the SolarWinds issue continues to vex federal officials. The agency that runs the Department of Defense’s sprawling communications network downloaded a poisoned SolarWinds update that potentially exposed the agency’s network to the Russian hackers, according to U.S. officials, who, like others, spoke on the condition of anonymity because of the matter’s sensitivity.

It is unclear whether the hackers used their access to the Defense Information Systems Agency to steal any data from the department’s networks, the officials said. So far, there is no evidence they have, but the investigation is in its early stages, they said.

“We’re just at the front end of figuring out the points of contact and what might have been left behind,” said one U.S. official. “We’re taking it very seriously. We don’t know as much as we’d like to know. We’ll keep going till we do.”

DISA is the department’s information technology nerve center. Besides running its own network, which houses billions of dollars of contracts and computer network designs, it runs the Defense Department’s unclassified intranet, which serves 4 million to 5 million personnel around the globe, including contractors and troops in combat zones.

A defense official acknowledged Thursday that “our software supply chain experienced a cyber attack to their systems.”

But Vice Adm. Nancy A. Norton, commander of the Joint Force Headquarters for the Department of Defense Information Network, said in a statement, “To date, we have no evidence of compromise” of the network. The department defines a “network compromise” as “a known or suspected exposure of the DOD network to an unauthorized person.”

Downloading the infected patch likely exposed DISA to the adversary, said Greg Touhill, a retired Air Force brigadier general and the federal government’s chief information security officer from 2016 to 2017. “SolarWinds was a hugely powerful platform that we leveraged in the DOD. If I were still in uniform, I would assume breach.”

Experts were skeptical of the notion that the Russians would gain access to a Defense Department network — especially one as sensitive as DISA — and not exploit it over many months of presumed access.

“DOD is one of the top priority targets for Russian intelligence,” said Dmitri Alperovitch, a cybersecurity expert and executive chairman of the Silverado Policy Accelerator think tank. “I can’t imagine a situation where, given an opportunity like this, they would not take advantage of it to get inside, roam around and try to steal as much sensitive data as they could related to force structure and readiness, weapons systems, and other issues of strategic concern to them.”

The Russian hackers are known for their stealth and ability to dwell at length inside compromised networks undetected. “My biggest concern would be if you’ve got an advanced adversary that has been in the network for a long time,” said Jack Wilmer, until August the Pentagon’s chief information security officer, who has no independent knowledge of the incident. “It may be very difficult to get them out and to be assured of the fact they’re no longer there.”

At this point the National Security Agency, which is part of the Defense Department and operates the largest electronic surveillance capability in the world, is not thought to be compromised. Classified networks, in any case, are “air-gapped” or cut off from the open Internet and not likely to be at high risk, officials said.

So disturbing have the events been that national security adviser Robert C. O’Brien rushed back from a trip to Europe on Tuesday afternoon to coordinate the government response to the hacks.

On Monday, the National Security Council convened an emergency meeting of agencies under a 2016 presidential order to address coordination on a “significant cyber event,” according to an official. Key agencies present were the FBI, Department of Homeland Security and Office of the Director of National Intelligence.

President-elect Joe Biden said in a statement Thursday that he is seeking to learn as much as he can about the breaches. As president, he said, he will work with allies to impose costs on those responsible for such actions. “I will not stand idly by in the face of cyber assaults on our nation,” he said.

Follow The Post’s tech blog, The Switch, where technology and policy connect.