The hackers have been monitoring government networks since March after compromising the widely-used software made by IT company SolarWinds Corp.
The hackers inserted malicious code into otherwise legitimate software updates in what is known as a supply-chain attack, because it infects software while it’s being assembled.
President-elect Joe Biden said he would make cyber-security – and dealing with this specific breach – a top priority for his administration.
“There’s a lot we don’t yet know, but what we do know is a matter of great concern,” Biden said in a statement.
Democratic congressman Jason Crow, a member of the House Armed Services Committee, said on MSNBC: “I don’t think we can overstate how dangerous this is for our country right now”.
“Breathtaking is a word that certainly comes to mind for me – that’s why earlier today I referred to this as our modern-day cyber Pear Harbour. Both the depth and the breadth of the breach is incredible.”
Republican Senator Marco Rubio, the head of the Senate Intelligence Committee, said on Twitter: “The full extent of the cyberhack is still unknown but we already know it is unprecedented in scale & scope, in all likelihood ongoing & at a level of sophistication only a few nation-states are capable of.”
Rubio said he believed the methods of the hack were consistent with Russian cyber operations but it was crucial to reach a definitive answer about who was responsible.
“We can’t afford to be wrong on attribution because America must retaliate, and not just with sanctions,” he said.
The Russian government has denied responsibility for the hack.
Republican Senator Mitt Romney described Trump’s lack of response as “extraordinary”, saying the country faces the modern equivalent of “Russian bombers reportedly flying undetected over the entire country”.
Democratic Senator Mark Warner said: “It is extremely troubling that the President does not appear to be acknowledging, much less acting upon, the gravity of this situation.”
In a statement on its website, SolarWinds said: “We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted and manually executed attack, as opposed to a broad, system-wide attack.”
In a lengthy blog post Microsoft President Brad Smith said the attack was “not espionage as usual, even in the digital age”.
“Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world,” he wrote.
“In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
Matthew Knott is North America correspondent for The Sydney Morning Herald and The Age.