The story of the massive hacking campaign embroiling the US federal government just keeps getting worse

BREACH — The story of the massive hacking campaign embroiling the federal government just keeps getting worse. Today, new evidence emerged of a wider range of victims, lawmakers stepped up their demands for answers and President-elect Joe Biden used the crisis to draw a contrast between himself and President Donald Trump.

The Department of Energy has found evidence that the hackers behind the massive and sophisticated cyber operation breached networks at the Federal Energy Regulatory Commission, two national laboratories, a DOE field office and a division of the National Nuclear Security Administration, POLITICO’s Natasha Bertrand reported. DOE acknowledged the breach late today, saying investigations to this point have shown “malware has been isolated to business networks only” and that national security functions were not impacted.

DOE, which manages the nation’s nuclear arsenal, joins the six previously known federal victims: the departments of Treasury, Homeland Security, State and Agriculture; the National Institutes of Health, and the Commerce Department’s telecommunications policy agency.

U.S. officials believe that the campaign, in which hackers infected software updates for an IT monitoring program made by a company called SolarWinds, is the work of a Russian intelligence agency known for careful, stealthy, long-term operations. In a public alert released today, DHS’ Cybersecurity and Infrastructure Security Agency warned that kicking out the hackers would be “highly complex and challenging” and said that the infected SolarWinds code was “not the only initial infection vector.” Hours later, Reuters reported that, in addition to SolarWinds, the Russians hacked another “major technology supplier” as a way of breaking into its customers’ networks.

SolarWinds has estimated that its infected code went to roughly 18,000 of its customers, but intelligence specialists cautioned that no espionage operation could possibly make use of all that access. Instead, experts said, the hackers will prioritize the most useful targets — those, such as the National Nuclear Security Administration, with the most valuable and potentially sensitive data. Officials have spent days scouring federal networks for more information about the breaches but are still unsure of what the hackers took. The National Security Council activated rarely used emergency response protocols, and a U.S. official told POLITICO that “this is probably going to be one of the most consequential cyberattacks in U.S. history.”

But federal agencies weren’t the only victims. At least three states were breached, according to Bloomberg News. It is unclear whether those victims simply discovered that they had received the infected SolarWinds updates or actually saw hackers operating on their networks. The security firm Volexity recently revealed that Russian hackers used the SolarWinds backdoor in the final of three intrusions into an unnamed American think tank.

The mounting toll of the cyber campaign, which the hackers stealthily began in March, prompted a flurry of inquiries from lawmakers. The top Democrats on the House Oversight and Homeland Security committees requested damage assessments about the operation today, while the leaders of the Senate Finance Committee asked the IRS if it had been hacked. Two Democratic senators have also asked the Treasury Department about its breach.

Trump has said nothing about the suspected Russian cyberattack, and Biden moved today to draw a contrast with him on the issue. “My administration will make cybersecurity a top priority at every level of government,” he said in a statement, “and we will make dealing with this breach a top priority from the moment we take office.” He pledged to improve private-sector and international partnerships, upgrade technology, train more digital defenders and impose “substantial costs” on adversaries. But he offered no details about his cyber agenda — including whether he would impose costs such as sanctions or retaliatory cyberattacks for espionage operations such as this one, in which most nations, including the U.S., engage regularly.