The Energy Department was hacked as part of a massive, ongoing campaign against the U.S. government, a spokesperson said Thursday, making it the latest confirmed agency to have been breached by Russian spies.
A number of federal agencies have been hit by a massive monthslong breach, which officials believe is the work of Russian intelligence, leaving the government scrambling to find out what was infected and how much information was stolen.
"The investigation is ongoing and the response to this incident is happening in real time," Energy Department spokeswoman Shaylyn Hynes said in a statement.
"At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration," she said.
Much of the campaign came after the hacking of SolarWinds, an Austin, Texas-based company that counts many government agencies and a number of major U.S. companies as customers. The hackers planted malicious code into software updates, which bypassed the federal cybersecurity scans.
The campaign, which is believed to have started in early March at the latest, was made public Dec. 8 when the cybersecurity company FireEye, which also does work for federal agencies, said it had been hacked. On Sunday, the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, released an emergency directive to uninstall the compromised version of SolarWinds' software.
Download the NBC News app for breaking news and politics
CISA notified the Energy Department on Sunday and immediately disconnected its systems, said a federal official with knowledge of the situation. Teams are now working round the clock to assess what, if anything, was exfiltrated, which may take weeks.
It was "one of the most sophisticated hacks" they have ever seen, said the official, who said the fact that the government learned of the breach only after a private company was hacked and after it had been going on for months was "truly breathtaking."
Hynes said in the department's statement that "immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network."
Only one other federal agency, the Commerce Department, has formally acknowledged that it was hacked as part of the SolarWinds campaign, but a number of other agencies, including the Homeland Security and Treasury departments, are reported to have also been breached.
On Wednesday, a joint statement from CISA, the FBI and the office of the director of national intelligence said the campaign was "significant and ongoing."