The Biden administration is planning a broad package of measures, including sanctions, to punish Russia over the sprawling SolarWinds espionage campaign that struck at the heart of the US government. US officials have previously said the hack, believed to have started early last year, has directly affected at least nine federal agencies and about 100 companies. Officials have said the attack was “likely of Russian origin”, although the US intelligence community has yet to issue its final conclusion.

The administration was also planning measures to secure commercial networks and improve third-party services, according to two people briefed on the matter. “There are Russia-specific measures being developed that will go beyond sanctions,” said one of the people briefed on the matter, adding these would be part of “a package of measures” aimed at Moscow.

The steps under consideration underscore the tougher line Joe Biden’s administration is preparing to take against Russia on a number of fronts from espionage to human rights, including the jailing of Alexei Navalny, the opposition leader who has accused Russian spies of nearly killing him with a chemical nerve agent in August.

The hackers gained access to systems by hijacking software in March last year from SolarWinds, a Texas-based information technology company, alongside several other methods. At least 18,000 companies and agencies were potentially exposed. The hackers went on to select particular targets to pursue further, lurking in their emails and impersonating legitimate employees in order to access sensitive information in the cloud.