Treasury Department’s Senior Leaders Were Targeted by Hacking

WASHINGTON — The Russian hackers who penetrated United States government agencies broke into the email system used by the Treasury Department’s most senior leadership, a Democratic member of the Senate Finance Committee said on Monday, the first detail of how deeply Moscow burrowed into the Trump administration’s networks.

In a statement after a briefing for committee staff members, Senator Ron Wyden of Oregon, who has often been among the sharpest critics of the National Security Agency and other intelligence agencies, said that the Treasury Department had acknowledged that “the agency suffered a serious breach, beginning in July, the full depth of which isn’t known.”

The Treasury Department ranks among the most highly protected corners of the government because of its responsibility for market-moving economic decisions, communications with the Federal Reserve and economic sanctions against adversaries. Mr. Wyden said the hackers had gained access to the email system by manipulating internal software keys.

The department learned of the breach not from any of the government agencies whose job is to protect against cyberattacks, but from Microsoft, which runs much of Treasury’s communications software, Mr. Wyden said. He said that “dozens of email accounts were compromised,” apparently including in what is called the departmental offices division, where the most senior officials operate.

“Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen,” he said.

An aide to Mr. Wyden said the department’s officials indicated that Treasury Secretary Steven Mnuchin’s email account had not been breached.

The newest disclosures underscored the administration’s conflicting messages about the source of the attacks and the extent of the damage as more reports about the targets leak out. A Treasury Department spokeswoman did not immediately respond to a request for comment.

Mr. Mnuchin addressed the hacking earlier on Monday and said the department’s classified systems had not been breached.

“At this point, we do not see any break-in into our classified systems,” he said in an interview with CNBC. “Our unclassified systems did have some access.”

Mr. Mnuchin said that the hacking was related to third-party software. He added that there had been no damage or large amounts of information displaced as a result of the attack and that the agency had robust resources to protect the financial industry.

“I can assure you, we are completely on top of this,” he said. He did not explain how the Russian presence was not detected in the system for more than four months.

His statement came on the same day that Attorney General William P. Barr, at his final news conference before stepping down, sided with Secretary of State Mike Pompeo in saying that Moscow was almost certainly behind the hacking. The intrusion went through a commercial network management software package made by SolarWinds, a company based in Austin, Texas, and allowed the hackers broad access to government and corporate systems.

“I agree with Secretary Pompeo’s assessment: It certainly appears to be the Russians,” Mr. Barr said, further undercutting President Trump’s effort to cast doubt on whether the government of President Vladimir V. Putin of Russia was behind the attack. Mr. Trump appears to be alone in the administration in his contention that China might have been the source of the hacking.

Mr. Mnuchin was among several top officials in the government who met with national security officials for the first time at the White House on Monday to assess the damage and discuss how to deal with it.

The meeting was a principals committee session led by Robert C. O’Brien, the national security adviser. It was held two days after Mr. Trump said the attack on federal networks was “under control,” was being exaggerated by the news media and might have been carried out by China rather than Russia, which has been identified by intelligence agencies, other government officials and cybersecurity firms as the almost certain source of the hacking.

The session was classified, but if it was like the briefings to Congress in recent days, the intelligence officials expressed little doubt that the attack was most likely carried out by hackers associated with the S.V.R., Russia’s premier intelligence agency.

But on Monday there was no public declaration attributing the hacking to Russia, perhaps reflecting Mr. Trump’s reluctance to confront Moscow over the issue and the doubts he has expressed about the seriousness of the attack.

The meeting, according to one senior administration official, was intended to “take stock of the intelligence, the investigation and the actions being taken to remediate” the attack. Absent from that description was any preparation for imposing a cost on the attacker. Mr. Trump did not attend the meeting.

Both President-elect Joseph R. Biden Jr. and his incoming chief of staff, Ron Klain, have said in recent days that the response once Mr. Biden was in office would go beyond sanctions to disabling the attacker’s abilities. But he will probably find the government’s response options are limited because of fear of escalation.

The list of attendees at the meeting was notable because it provided some indication of which parts of the government might have been affected. White House officials said Treasury Secretary Steven Mnuchin, Commerce Secretary Wilbur Ross, the acting homeland security secretary Chad F. Wolf and Energy Secretary Dan Brouillette were present. All of those agencies were previously identified by news organizations as targets of the hacking.

John Ratcliffe, the director of national intelligence, participated in the meeting; so did Gina Haspel, the C.I.A. director, and Gen. Paul M. Nakasone, the director of the National Security Agency and the commander of the United States Cyber Command. Secretary of State Mike Pompeo, who was the first high-ranking administration official to acknowledge that Russia was the most likely source of the attack before he was undercut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.

General Nakasone, an experienced cyberwarrior who is responsible for the defense of national security systems, has been silent since the hacking was revealed. At the N.S.A. and Cyber Command, officials said, there was extraordinary embarrassment that a private company, FireEye, had been the first to alert the government that it had been hacked.

According to the details released by Mr. Wyden, once the Russian hackers used the SolarWinds software update to get inside Treasury’s systems, they performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network.

That counterfeiting enabled them to fool the system into thinking they were legitimate users — and to sign on without trying to guess user names and passwords. Microsoft said last week that it had fixed the flaw that the Russians had exploited, but that did not answer the question of whether the hackers used their access to bore through other channels into the Treasury Department or other systems.

Formally determining who was responsible for a hacking like this one can be time-consuming work, though the administration did so twice in Mr. Trump’s first year in office, pointing to North Korea for the so-called WannaCry attack on the British health care system and Russia for the “NotPetya” attack that cost Maersk, Federal Express and other major corporations hundreds of millions of dollars.

In this case, officials say, a formal declaration of who was responsible for the attack — which is needed to start any form of retaliation — may not come until after Mr. Biden is inaugurated. That would leave the Trump administration to focus on damage control but skip the hard questions of how to deter Moscow from future attacks.

Capt. Katrina J. Cheesman, a spokeswoman for Cyber Command, said that so far the military had found “no evidence of compromises” in the Pentagon’s network. She said that parts of the Defense Department’s “software supply chain source have disclosed a vulnerability within their systems, but we have no indication the D.O.D. network has been compromised.”

Julian Barnes contributed reporting.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.