Russian government spies are behind a broad hacking campaign that has breached U.S. agencies and a top cyber firm

The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service and breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.

The FBI is investigating the campaign and had no comment Sunday.

All of the organizations were breached through the update server of a network management system called SolarWinds, according to four people familiar with the matter.

The company said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously tampered with in a “highly-sophisticated, targeted . . . attack by a nation state.”

The scale of the Russian espionage operation is potentially vast and appears to be large, said several individuals familiar with the matter. “This is looking very, very bad,” said one person. SolarWinds is used by more than 300,000 organizations across the world. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world’s top electronic spy agency, according to the firm’s website.

SolarWinds is also used by the top 10 U.S. telecommunications companies.

“This is a big deal, and given what we now know about where breaches happened, I’m expecting the scope to grow as more logs are reviewed,” said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. “When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely.”

Also compromised was a leading cybersecurity firm, FireEye, which last week reported it was breached. The Washington Post reported that APT29 was the group behind that hack.

It is not clear what information was accessed from the government agencies, though FireEye disclosed it has lost hacking tools that the company uses to test clients’…