Key government intelligence agencies said Tuesday the SolarWinds hack is “likely Russian in origin,” according to a joint statement from the FBI, NSA, Cybersecurity and Infrastructure Security Agency (CISA) and Office of the Director of National Intelligence (ODNI). It’s the first time the four agencies have attributed the cyber attack to Russia.

“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the statement said. “At this time, we believe this was, and continues to be, an intelligence gathering effort.”

Read more: SolarWinds hack continues to spread: What you need to know

The hack started in March 2020 at the latest, when hackers compromised IT management software from Austin, Texas-based company SolarWinds, which has thousands of customers in the public and private sectors. The hackers placed malicious code into a legitimate update to a popular SolarWinds software product, and around 18,000 of the company’s customers installed the tainted update.

US Secretary of State Mike Pompeo said in an interview in December that the hack was likely of Russian origin, but there had been no formal attribution until now. CISA issued a statement in December acknowledging an ongoing compromise, carried out by an advanced persistent threat, affecting government and private organizations.

Advanced persistent threats are hacking groups identified by cybersecurity experts and government intelligence agencies that appear to have significant resources and skills, and are frequently affiliated with a nation-state. Tuesday’s statement didn’t attribute the SolarWinds hack to a specific APT, but government sources have reportedly blamed APT29, nicknamed Cozy Bear, for the attack.

The Cyber Unified Coordination Group, made up of the FBI, NSA, CISA and ODNI, continues to investigate the hack. The joint statement added that, of the 18,000 affected organizations, a much smaller number were “compromised by follow-on activity on their systems.” The targets that saw further compromise after intalling the tainted update include fewer than 10 government agencies.

The breach reportedly included an email system used by senior leadership at the Treasury Department. Government officials have confirmed breaches at the Treasury Department as well as the Departments of Energy and Commerce. The hack also reportedly hit the Department of Homeland Security, the Pentagon and the State Department, as well as the National Institutes of Health and the National Nuclear Security Administration.