Cybersecurity and Infrastructure Security Agency (CISA) said in a statement posted to its website that the hacking campaign, which used SolarWinds as a springboard to penetrate federal government networks, was “impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organisations”.

The CISA said last week that US government agencies, critical infrastructure entities, and private groups were among those affected, but did not specifically mention state or local bodies. So far only a handful of federal government agencies have officially confirmed having been affected, including the Treasury Department, the Commerce Department, and the Department of Energy.

CISA did not identify the state or local agencies affected and did not immediately return an email seeking additional detail on the notice.

Senior US officials and lawmakers have alleged that Russia is to blame for the hacking spree, a charge the Kremlin denies.