American intelligence agencies and private cybersecurity investigators are examining the role of an obscure software company, JetBrains, in the far-reaching Russian hack of federal agencies, private corporations and United States infrastructure, according to officials and executives briefed on the investigation.
Officials are investigating whether the company, founded in Russia and now headquartered in the Czech Republic, was a pathway for Russian hackers to insert back doors into the software of a number of technology companies. Security experts warn that the monthslong intrusion could be the biggest breach of United States networks in history.
JetBrains, which counts 79 of the Fortune 100 companies as customers, is used by developers at 300,000 firms. One of them is SolarWinds, the Austin, Texas, company whose network management software played a central role in allowing hackers into government and private networks.
Separately, the Justice Department announced that its email system had been compromised as part of the SolarWinds hack, an announcement that expands the scope of the government computers that Russia was able to access.
Government officials are not certain how the compromise of the JetBrains software relates to the larger SolarWinds hack. They are seeking to learn if it was a parallel way for Russia’s main intelligence agency to get into government and private systems, or whether it was the original pathway for Russian operatives to first penetrate SolarWinds.
On Tuesday, the Office of the Director of National Intelligence, the F.B.I., the Department of Homeland Security and the National Security Agency issued a joint statement declaring formally that Russia was most likely the origin of the hack. But the statement offered no details, and made no mention of the JetBrains software or the S.V.R., Russia’s most skilled intelligence agency.
Among other customers of JetBrains are Google, Hewlett-Packard and Citibank. Others include Siemens, a major supplier of technology in critical infrastructure such as power and nuclear plants, and VMware, a technology company that the National Security Agency warned on Dec. 7 was being used by Russian hackers to break into networks.
JetBrains did not immediately return a request for comment.
While the vulnerability was in much of the government infrastructure that downloaded the latest SolarWinds software, Russia was judicious in which of those networks it accessed, making it difficult to quickly assess the damage.
In the joint-agency announcement officials said they believed the Russian hackers stopped at 10 federal agencies, but an internal assessment by Amazon, which has been examining hackers’ tools, believe the total number of victims in government and the private sector could be upward of 250 organizations.
Microsoft also announced on Dec. 31 that its network was accessed by the same attackers, and confirmed that the intruders viewed the company’s source code. It has not said which products may have been compromised. CrowdStrike, a security firm, confirmed last month that Microsoft’s resellers, the companies that sell software on behalf of Microsoft, were also breached and used to attack its clients.
The Justice Department did not learn of, and close off, the vulnerability in its Microsoft Outlook email system until Dec. 24, some 10 days after the SolarWinds compromise of government computers became public, officials said.
Marc Raimondi, a Justice Department spokesman, said that about 3 percent of the department’s email mailboxes that use the specific Microsoft software were compromised by the hack. He said no classified systems appear to be affected, but said that the episode had been designated as a major one.