The Cybersecurity and Infrastructure Security Agency on Thursday issued a new warning that foreign adversaries had used more ways to attack U.S. computer networks than what has been reported about the breach of the SolarWinds network management software. 

“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform,” the agency said in a statement. “However, these are still being investigated. CISA will update this alert as new information becomes available.” 

The agency said the attack discovered thus far “poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.” 

The agency spelled out technical details of the attack and steps organizations and agencies should take to recover. But the agency also warned that the process could be long and painful.  

The attacker “has demonstrated patience, operational security, and complex tradecraft in these intrusions,” the agency said in a statement. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.” 

The latest alert came even as federal agencies were still finding out who had been exposed to the attack on SolarWinds.

The latest victims appear to include the Department of Homeland Security, which is responsible for monitoring and stopping such attacks on U.S. federal agencies, as well as the IRS. Late Thursday, the Department of Energy said the hack had infected its business networks but not “mission essential” functions, including at the National Nuclear Security Administration, which works on nuclear weapons.

The attack, suspected to have been carried out by Russian intelligence agency SVR, has potentially exposed 18,000 SolarWinds clients after they downloaded and installed a software update that was infected with malware. 

On Wednesday, the Cybersecurity and Infrastructure Security Agency issued a joint statement with the FBI and the Office of the Director of National Intelligence, saying they had formed a “cyber unified coordination group to coordinate a whole-of-government response to this significant cyber incident.” 

On Thursday, Sens. Charles E. Grassley, R-Iowa, and Ron Wyden, D-Ore., respectively the chairman and top Democrat on the Senate Finance Committee, said that the Internal Revenue Service was one of the clients of SolarWinds, and that taxpayers’ information was potentially exposed. 

“The magnitude of the attack is hard to overstate,” wrote Tom Bossert, who was the White House cybersecurity adviser until the position was eliminated by President Donald Trump in April 2018. 

“President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government,” Bossert wrote in The New York Times. “He must use whatever leverage he can muster to protect the United States and severely punish the Russians.”

President-elect Joe Biden also issued a strong statement, with a thinly veiled warning: “I want to be clear: my administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office … Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation.”

Biden did not mention Russia by name in the statement. 

Sen. Mitt Romney, R-Utah, appearing on SiriusXM radio, criticized President Donald Trump for saying nothing about the cyber attack. “In this setting, not to have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary.”

The top lawmakers on the Senate Armed Services Committee said they had been briefed on the cyberattack and that they feared it had “the hallmarks of a Russian intelligence operation.”

Sens. James M. Inhofe, R-Okla., and Jack Reed, D-R.I., said the U.S. government “must do everything possible to counter” the attack and called on Trump to immediately sign the defense policy bill into law.

Trump has said he would veto the bill — despite veto-proof majorities in both chambers — because it does not contain any provisions to address social-media companies’ content moderation.

The FBI is leading the effort to investigate and gather intelligence “to attribute, pursue, and disrupt the responsible threat actors,” while CISA already had issued an emergency order asking all federal agencies to disconnect the SolarWinds software on their computers, according to the agencies. The Office of the Director of National Intelligence is gathering and sharing intelligence information with all agencies on the attack and its aftermath, the statement said. 

SolarWinds’ customers

Austin, Texas-based SolarWinds developed and supplied network management software that top U.S. government agencies and Fortune 500 companies used to monitor their own networks. On its now deleted customer list page, SolarWinds stated that its clients included 425 of the Fortune 500 companies, including Microsoft, Lockheed Martin and Ford Motor Co., as well as all “five branches of the U.S. military,” the Pentagon, plus the Justice Department, State Department, and the “Office of the President of the United States.” 

The company also mentioned the Centers for Disease Prevention and Control, the U.S. Air Force, the Federal Reserve among its customers. The company took down its customer page from its website after news of the attack, but a copy was stored on the Internet Archive.

News of the attack on SolarWinds came on the heels of another assault on FireEye, one of the world’s top cybersecurity firms. The attackers in that case stole tools used by the company to detect network weaknesses for its clients and prevent attacks. In both cases security experts have said that the attacks were carried out by the Russian intelligence service called SVR. The service, also known as APT 29 and Cozy Bear, was behind a 2015 attack on the Democratic National Committee. 

The attack on SolarWinds was so critical that the CISA issued an urgent bulletin on Sunday asking all federal agencies to examine their networks to see if they were using older versions of the SolarWinds software called Orion. If they did, they were told to immediately disconnect the software from their computers and “rebuild the Windows operating system and reinstall the SolarWinds software package.” 

The attack unfolded in March when hackers gained access to the SolarWinds network and were able to infect its server before updates were sent out to clients, who then downloaded the corrupted version that in turn allowed the attackers to gain access to clients’ networks. The flawed version of the software went out between March and June.

It’s unclear when SolarWinds first became aware of the breach, but the company announced the attack a week ago. 

Microsoft, whose Windows operating systems are used by a vast majority of government and private companies, took a series of steps to stanch the damage from the attack. 

The company first disabled fake digital certificates that tricked the Windows operating system into believing that the SolarWinds software updates were genuine. Then it updated its Windows Defender program to identify and alert users if it found the infected files. The company then followed it up with two more steps: Taking over the domain name that the attackers had devised as the command and control system for the malware to wrest control away from the attackers, and updating the Defender program to quarantine and effectively kill infected files on computer networks. 

Despite these steps SolarWinds customers continue to be worried, Jake Williams, a cybersecurity consultant and former hacker for the National Security Agency, wrote on Twitter. “Multiple customers have expressed a lack of confidence that the new build of SolarWinds Orion is clean,” he wrote, referring to the network management software.