The US energy department is the latest agency to confirm it has been breached in what is being described as the worst-ever hack on the US government.
The department is responsible for managing US nuclear weapons, but said the arsenal’s security had not been compromised.
Tech giant Microsoft also said on Thursday that it had found malicious software in its systems.
Many suspect the Russian government is responsible. It has denied any role.
The US treasury and commerce departments are among the other targets of the sophisticated, months-long breach, which was first acknowledged by officials on Sunday.
Researchers, who have named the hack Sunburst, say it could take years to fully comprehend what is one of the biggest ever cyber-attacks.
How has the US government responded?
President Donald Trump is yet to comment on the cyber-attacks.
Meanwhile, US President-elect Joe Biden has vowed to make cyber-security a “top priority” of his administration.
“We need to disrupt and deter our adversaries from undertaking significant cyber-attacks in the first place,” he said.
“We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in co-ordination with our allies and partners.”
America’s top cyber agency, the Cybersecurity and Infrastructure Agency (Cisa), gave a stark warning on Thursday, saying that addressing the intrusion would be “highly complex and challenging”.
It said “critical infrastructure” had been damaged, federal agencies and private sector companies compromised, and that the damage posed a “grave threat”.
The hack began in at least March 2020, and those responsible had “demonstrated patience, operational security, and complex tradecraft”, the Cisa said.
The agency did not identify what information had been stolen or exposed.
Addressing the attack on the energy department, spokeswoman Shaylyn Hynes confirmed it was responding to a cyber-breach – but said “the malware has been isolated to business networks only”.
She said security functions at the National Nuclear Security Administration (NNSA), which oversees US nuclear weapons, had not been affected.
A race to see what’s been stolen
The list of who was hacked is already long – and it is going to get longer. These are still early, and quite frantic, days in the investigation as government departments, companies and organisations race to see if they have a backdoor in their systems and what might have been stolen through it over a period of months.
The scale is potentially huge, but the truth is no-one is quite sure of the impact yet. So far, this looks to have been classic espionage – the targeted theft of information. There is not much sign yet that the hackers were planning to disrupt systems or carry out real world damage, although that could still emerge.
That also makes it trickier for the US to respond – after all, espionage is something it also carries out regularly. The problem is that in this case US defences were not good enough to spot and stop those responsible.
What do we know about the hack’s consequences?
“There’s a lot we don’t yet know, but what we do know is a matter of great concern,” Mr Biden has said.
Hackers are known to have at least monitored data within a range of key US government departments including state, defence, homeland security, treasury and commerce, Reuters news agency reports.
Cisa said the perpetrators managed to breach computer networks using network management software made by the Texas-based IT company SolarWinds.
Up to 18,000 SolarWinds Orion customers downloaded updates containing malicious software installed by hackers.
All US federal civilian agencies were told to remove SolarWinds from their servers earlier this week as a result.
Cisa said it was investigating “evidence of additional access vectors, other than the SolarWinds Orion platform”.
Microsoft said it had identified more than 40 of its customers who were targeted in the cyber-attack, including government agencies, think tanks, non-governmental organisations and IT companies. About 80% of these were in the US, while others were in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE.
The company’s president Brad Smith said the attack was “remarkable for its scope, sophistication and impact”.
“This is not ‘espionage as usual,’ even in the digital age,” he wrote in a blog post. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”
Neither Cisa or the FBI have publicly said who they believe to be behind the attacks, but private security companies and officials quoted in US media have pointed the finger at Russia.
The Washington Post cast suspicion on a Russian hacking group called Cozy Bear or APT 29, which has ties to the country’s spy agencies.
The Post reported that the same Russian group hacked the State Department and White House email servers while Barack Obama was president.
What is Russia saying?
In a statement shared on social media on Monday, the Russian embassy in the US said it “does not conduct offensive operations in the cyber domain”.
“Malicious activities in the information space contradict the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the embassy said.