Explainer: How bad is the hack that targeted US agencies?

Governments and major corporations worldwide are scrambling to see if they, too, were victims of a global cyberespionage campaign that penetrated multiple U.S. government agencies and involved a common software product used by thousands of organizations.

Russia, the prime suspect, denies involvement. Cybersecurity investigators said the hack’s impact goes beyond the affected U.S. agencies, which include the Treasury and Commerce departments, though they haven’t disclosed which companies and other governments were targeted.

___

WHAT HAPPENED?

The hack began as early as March when malware was snuck into updates to popular software that monitors businesses and government computer networks. The malware, affecting a product made by U.S. company SolarWinds, gave the attacker remote access into an organization's networks so it could steal information. It wasn't discovered until the prominent cybersecurity company FireEye learned it was hacked. Whoever broke into FireEye was seeking data on its government clients, the company said — and made off with hacking tools it uses to probe its customers' defenses.

“There’s no evidence that this was meant to be destructive,” said Ben Buchanan, Georgetown University cyberespionage expert and author of “The Hacker and The State.” He called the campaign's scope, “impressive, surprising and alarming.”

Its apparent monthslong timeline gave the hackers ample time to extract information from a lot of different targets. Buchanan said the impact is likely to be significant and compared it to the 2015 Chinese hack of the U.S. Office of Personnel Management, in which the records of 22 million federal employees and government job applicants were stolen.

___

WHAT IS SOLARWINDS?

SolarWinds, of Austin, Texas, provides...