Russian-Owned Software Company May Be Entry Point for Huge U.S. Hacking


Russian hackers may have piggybacked on a tool developed by JetBrains, which is based in the Czech Republic, to gain access to federal government and private sector systems in the United States.

Officials are investigating whether a Russian company, based in the Czech Republic, was a pathway for Russian hackers to insert malware that would flow to a number of technology companies.
Officials are investigating whether a Russian company, based in the Czech Republic, was a pathway for Russian hackers to insert malware that would flow to a number of technology companies.Credit...Kirill Kudryavtsev/Agence France-Presse — Getty Images

American intelligence agencies and private cybersecurity investigators are examining the role of a widely used software company, JetBrains, in the far-reaching Russian hacking of federal agencies, private corporations and United States infrastructure, according to officials and executives briefed on the inquiry.

Officials are investigating whether the company, founded by three Russian engineers in the Czech Republic with research labs in Russia, was breached and used as a pathway for Russian hackers to insert back doors into the software of an untold number of technology companies. Security experts warn that the monthslong intrusion could be the biggest breach of United States networks in history.

JetBrains, which counts 79 of the Fortune 100 companies as customers, is used by developers at 300,000 firms. One of them is SolarWinds, the company based in Austin whose network management software played a central role in allowing hackers into government and private networks.

JetBrains said on Wednesday that it had not been contacted by government officials and was not aware of any compromise. The exact software that investigators are examining is a JetBrains product called TeamCity, which allows developers to test and exchange software code before its release. By compromising TeamCity, cybersecurity experts say the Russian hackers could have invisibly planted back doors in an untold number of JetBrain’s clients.

Separately, the Justice Department announced that its email system had been compromised as part of the SolarWinds hacking, an announcement that expands the scope of the government computers that Russia was able to access.

Government officials are not certain how the compromise of the JetBrains software relates to the larger SolarWinds hacking. They are seeking to learn if it was a parallel way for Russia’s main intelligence agency to get into government and private systems, or whether it was the original pathway for Russian operatives to first infiltrate SolarWinds.

On Tuesday, the Office of the Director of National Intelligence, the F.B.I., the Department of Homeland Security and the National Security Agency issued a joint statement declaring formally that Russia was most likely the origin of the hacking. But the statement offered no details, and made no mention of the JetBrains software or the S.V.R., Russia’s most skilled intelligence agency.

Among other customers of JetBrains are Google, Hewlett-Packard and Citibank. The company is widely used by developers of Android mobile software. It also counts Siemens, a major supplier of technology in critical infrastructure such as power and nuclear plants, as a customer as well as VMware, a technology company that the National Security Agency warned on Dec. 7 was also being used by Russian hackers to break into networks.

Yaroslav Russkih, a JetBrains spokesman, said the company did not know if TeamCity had been compromised or whether its customers had been affected. Mr. Russkih said the company had not been contacted by government agencies.

SolarWinds confirmed Wednesday that it used TeamCity software to assist with the development of its software and was investigating the software as part of its continuing investigation. The company said it had yet to confirm a definitive link between JetBrains and the breach and compromise of its own software.

SolarWinds previously said that 18,000 customers downloaded its compromised software, but investigators believe Russia was judicious in which of those networks it gained access to, making it difficult to quickly assess the damage.

In the joint announcement, officials said they believed the Russian hackers stopped at 10 federal agencies, but an internal assessment by Amazon, which has been examining hackers’ tools, believe the total number of victims in government and the private sector could be upward of 250 organizations.

Microsoft also announced on Dec. 31 that its network was breached by the same attackers, and confirmed that the intruders viewed the company’s source code. It has not said which products may have been compromised. CrowdStrike, a security firm, confirmed last month that it was targeted, unsuccessfully, through a Microsoft reseller, a company that sells software on behalf of Microsoft. Resellers help set up Microsoft software and often maintain broad access to clients’ systems, which Russia’s hackers could exploit on untold numbers of Microsoft customers.

The Justice Department did not learn of, and close off, the vulnerability in its Microsoft Outlook email system until Dec. 24, some 10 days after the SolarWinds compromise of government computers became public, officials said.

Marc Raimondi, a Justice Department spokesman, said that about 3 percent of the department’s email mailboxes that use the specific Microsoft software were compromised by the hack. He said no classified systems appear to be affected, but said that the episode had been designated as a major one.

“Compromising and introducing a back door into a build environment such as TeamCity is the holy grail of a supply chain hack,” said Dmitri Alperovitch, a co-founder of CrowdStrike who now runs Silverado Policy Accelerator, referring to the method Russian hackers used to enter victims’ systems through their supply chains, software vendors.

“It can allow an adversary to have thousands of SolarWinds-style back doors in all sorts of products in use by victims all over the world.,” Mr. Alperovitch added. “This is a very big deal.”