Secretary of State Mike Pompeo said previously that the breaches were “clearly” Russian in origin, and U.S. officials have for weeks said privately that Moscow’s foreign intelligence service carried them out.
The breaches were so alarming that they had government and private-sector personnel working through the holidays to identify and mitigate them, the task force said, describing them as “ongoing cyber compromises.” That sense of urgency stands in contrast to Trump’s effort last month to play down the significance of the breaches, saying that “everything is well under control.”
“It’s unfortunate that it has taken over three weeks after the revelation of an intrusion this significant for this administration to finally issue a tentative attribution,” said Sen. Mark R. Warner (Va.), the ranking Democrat on the Senate Intelligence Committee. “We need to make clear to Russia that any misuse of compromised networks to produce destructive or harmful effects is unacceptable and will prompt an appropriately strong response.”
Russia has denied any involvement.
The statement also said that so far investigators have identified fewer than 10 federal entities that had their networks breached, though that list includes major agencies such as the Departments of State, Treasury, Homeland Security, Energy and Commerce. And as the investigation continues, more federal agencies may turn out to have been compromised.
People familiar with the matter, speaking on the condition of anonymity because the investigation is ongoing, have told The Washington Post that they think as many as 250 government and private-sector entities have been compromised, though investigators are working to ascertain the exact scope of the hacks and to notify nongovernment entities affected.
Shortly after the intrusions were discovered last month, the National Security Council stood up a task force, the Cyber Unified Coordination Group, to coordinate the investigation and remediation of the incident.
The task force is made up of the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence, with support from the National Security Agency.
“We believe this was, and continues to be, an intelligence-gathering effort,” the task force said. That’s an indication that officials have not found evidence of an intent to disrupt or destroy networks, or to use hacked material for an influence operation aimed at sowing discord in the United States, as Russia did in 2016.
Rather, the statement indicated, the operation was more in line with traditional espionage, stealing material that might be useful to the Kremlin. That might include information on U.S. policy decisions, potential sanctions, or how the government or industry protects its networks.
“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the statement said.
It is unclear whether the Trump administration will do more than publicly call out Moscow for the hacks. In past cases involving cyberespionage, the United States has refrained from doing so on the grounds that the offending spy agency was doing what all nations with such capabilities, including the United States, do: spy on one another’s networks.
But that doesn’t mean the government can’t take action. The United States and Russia have both expelled spies or diplomats in response to espionage operations.
“We need to be able to respond to these incidents so they don’t go unchallenged,” said Christopher Painter, the top cyber-diplomat in the Obama administration. “When we don’t do that, we just invite further action. We don’t want to be escalatory, so we want to figure out what the right action is.”
Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus, said the cyber-intrusions, as disturbing as they are, are not an act of war.
"I want a throat to choke on this thing — I'm angry that they got us," he told The Post. But any potential punishment should be carried out as "we would for other physical espionage operations."
Some U.S. officials expect that the administration, especially given Trump’s disinclination to believe that Russia engages in malign cyberactivity against the United States, will leave the matter to the incoming Biden administration.