The US government has put out an emergency warning about what appears to be one of the most sophisticated cyber espionage campaigns in recent years.
Hackers working for a nation-state managed to infiltrate software used by key government agencies and the world’s largest companies just as the west went into lockdown earlier this year.
Here is everything we know so far.
Hundreds of thousands of organisations around the world rely on a piece of software called Orion to manage their IT networks.
The software, from the IT company SolarWinds, is described as a “single pane of glass” that can monitor everything in a system.
The hackers managed to insert malicious code into the software updates provided by SolarWinds to its customers, which then allowed them to open a back door that let them spy on their targets at will.
The updates were released between March and June this year, SolarWinds said, raising the possibility that the hackers have been inside some systems for as long as nine months.
The attack was not related to an hour-long outage of Google services on Monday.
Who has been hacked?
The scope of the attack is potentially huge. SolarWinds said on its website that it had 275,000 customers worldwide.
But the company said on Monday it believed that “fewer than 18,000” of its customers had downloaded the compromised updates.
FireEye, a cyber security company that revealed last week it had been a victim of the hacking campaign, said it had found other victims in “government, consulting, technology, telecom and extractive entities” across the world.
No major companies have disclosed that they have been hacked.
In the US, the commerce department said one of its bureaus had been breached. There were also reports that the Treasury department had been targeted, but it declined to comment.
UK and EU cyber security agencies have yet to comment on the extent of their exposure.
What is SolarWinds and what does it do?
SolarWinds is a 20-year-old technology company based in Austin, Texas, with revenues projected to exceed $1bn this year.
According to its website, SolarWinds’ clients include Microsoft, McDonald’s, Lockheed Martin and Yahoo, as well as many government and military departments in the US and abroad.
Some of America’s most sensitive intelligence targets are among its customers: all five branches of the US military; the Pentagon, the state department; the NSA; the Department of Justice; and the Office of the President of the United States, according to the company’s website.
Shares in SolarWinds fell 15 per cent in early trading on Monday after news of the hack emerged.
Who were the hackers and what were they looking for?
Western security experts quickly pointed the finger at Russia, though there has been no official confirmation.
FireEye said: “The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”
One person familiar with the investigation said that American security sources believe the SVR, Russia’s foreign intelligence service, was behind the hack.
Robert Hannigan, former director-general of the UK signals intelligence agency GCHQ, said while it was still too early to tell who was responsible, Russian agencies have a history of using software updates to deliver attacks, as these attackers did via Orion. This was how a cyber unit operated by Russia’s GRU military intelligence service implanted the NotPetya virus into Ukrainian accountancy software in 2017.
Officials suggested the attack has all the hallmarks of an espionage operation, designed to target central government, defence, military and intelligence institutions.
Russia has denied any involvement, with Dmitry Peskov, president Vladimir Putin’s spokesman, labelling the accusations “groundless”.
What do we still not know?
One of the key questions, according to western security officials, is how the hackers managed to penetrate SolarWinds.
Possibilities include an insider at the company who helped the hackers gain access to its clients, or weaknesses in cyber security which meant its systems could be targeted remotely.
The other question is how many governments and companies may have been compromised.
Those who use Orion risk having been accessed directly, but cyber security experts point out that organisations who shared data with the targets could also have been compromised. This means that the potential repercussions could go far beyond the original Orion customer base.
Additional reporting by Tim Bradshaw in London