Of course, the N.S.A. is hardly all-seeing, even after placing its probes and beacons into networks around the world. But if there is a major investigation — and it is hard to imagine how one could be avoided — the responsibility of the agency, run by Gen. Paul M. Nakasone, one of the nation’s most experienced cyberwarriors, will be front and center.
The S.V.R. hackers took immense pains to hide their tracks, said the person briefed on the intrusion. They used American internet addresses, allowing them to conduct attacks from computers in the very city — or appearing so — in which their victims were based. They created special bits of code intended to avoid detection by American warning systems and timed their intrusions not to raise suspicions — working hours, for example — and used other careful tradecraft to avoid discovery.
The intrusion, said the person briefed on the matter, shows that the weak point for the American government computer networks remains administrative systems, particularly ones that have a number of private companies working under contract. The Russian spies found that by gaining access to these peripheral systems, they could make their way into more central parts of the government networks.
SolarWinds was a ripe target, former employees and advisers say, not only for the breadth and depth of its software, but for its own dubious security precautions.
The company did not have a chief information security officer, and internal emails shared with The New York Times showed that employees’ passwords were leaking out on GitHub last year. Reuters earlier reported that a researcher informed the company last year that he had uncovered the password to SolarWinds’ update mechanism — the vehicle through which 18,000 of its customers were compromised. The password was “solarwinds123.”
Even if the Russians did not breach classified systems, experience shows that there is lots of highly sensitive data in places that do not have layers of classification. That was the lesson of the Chinese hack of the Office of Personnel Management five years ago, during the Obama administration, when it turned out that the security-clearance files on 22.5 million Americans, and 5.6 million sets of fingerprints, were being stored on lightly protected computer systems in, of all places, the Department of the Interior.
They are now all in Beijing, after the files were spirited out without setting off alarms.
“An intrusion like this gives the Russians a rich target set,” said Adam Darrah, a former government intelligence analyst, now director of intelligence at Vigilante, a security firm. “The S.V.R. goes after these targets as a jumping off point to more desirable targets like the C.I.A. and N.S.A.”
Eric Schmitt contributed reporting.
