‘HOPE FOR THE BEST’: Experts do not know what networks the attackers are in and US federal workers would have to assume that unclassified networks had been infiltrated

It is expected to take months to kick elite hackers widely believed to be Russian out of the US government networks they have been quietly rifling through since as far back as March in Washington’s worst cyberespionage failure on record.

Experts said there simply are not enough skilled threat-hunting teams to identify all the government and private-sector systems that might have been hacked.

FireEye, the cybersecurity company that discovered the worst-ever intrusion into US agencies and was among the victims, has already tallied dozens of casualties. It is racing to identify more.

“We have a serious problem. We don’t know what networks they are in, how deep they are, what access they have, what tools they left,” said Bruce Schneier, a prominent security expert and Harvard fellow.

It is not clear exactly what the hackers were seeking, but experts said it could include nuclear secrets, blueprints for advanced weaponry, and information for dossiers on key government and industry leaders.

Many federal workers — and others in the private sector — would have to presume that unclassified networks are teeming with spies. Agencies would often have to conduct sensitive government business on Signal, WhatsApp and other encrypted smartphone apps.

“We should buckle up. This will be a long ride,” said Dmitri Alperovitch, cofounder and former chief technical officer of the leading cybersecurity firm CrowdStrike. “Cleanup is just phase one.”

The only way to be sure a network is clean is “to burn it down to the ground and rebuild it,” Schneier said.

Imagine a computer network as a mansion you inhabit and you are certain a serial killer has been there.

“You don’t know if he’s gone. How do you get work done? You kind of just hope for the best,” he said.

White House deputy press secretary Brian Morgenstern on Friday told reporters that US National Security Adviser Robert O’Brien has sometimes been leading multiple daily meetings with the FBI, the US Department of Homeland Security and the intelligence community, looking for ways to mitigate the hack.

He would not provide details, “but rest assured we have the best and brightest working hard on it each and every single day.”

The Democratic chairs of four US House of Representatives committees given classified briefings on the hack by the administration of US President Donald Trump issued a statement saying that they “were left with more questions than answers.”

“Administration officials were unwilling to share the full scope of the breach and identities of the victims,” they said.

Morgenstern earlier said that disclosing such details only helps US adversaries.

Trump has not commented publicly on the matter.

What makes this hacking campaign so extraordinary is its scale — 18,000 organizations were infected from March to June by malicious code that piggybacked on popular network-management software from an Austin, Texas, company called SolarWinds.

Only a sliver of those infections were activated to allow hackers inside.

FireEye said it has identified dozens of examples, all “high-value targets.”

Microsoft, which has helped respond, said it has identified more than 40 government agencies, think tanks, government contractors, non-governmental organizations and technology companies infiltrated by the hackers, 75 percent in the US.

Florida became the first US state to acknowledge falling victim to a SolarWinds hack.

Officials told reporters on Friday that hackers apparently infiltrated the state’s healthcare administration agency and others.

SolarWinds’ customers include most prominent Fortune 500 companies, and its US government clients are rich with generals and spymasters.

The difficulty of extracting the suspected Russian hackers’ tool kits is exacerbated by the complexity of SolarWinds’ platform, which has dozen of different components.

“This is like doing heart surgery, to pull this out of a lot of environments,” Tag Cyber chief executive officer Edward Amoroso said.

Security teams then have to assume that the patient is still sick with undetected so-called “secondary infections” and set up the cyberequivalent of closed-circuit monitoring to make sure the intruders are not still around, sneaking out internal e-mails and other sensitive data.

That effort would take months, Alperovitch said.

If the hackers are indeed from Russia’s SVR foreign intelligence agency, as experts believe, their resistance might be tenacious. When they hacked the White House, the US Joint Chiefs of Staff and the US Department of State in 2014 and 2015, “it was a nightmare to get them out,” Alperovitch said.