The Solar Winds hack is still being unfolded. A good summary article from Bruce Schneier explains just how bad it is.
Some important points to note:
Orion is a network management product from a company named SolarWinds, with over 300,000 customers worldwide.
Possible Root Cause (So far..)
We don’t know how, but last year the company’s update server was protected by the password “solarwinds123” – Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.
All five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges.