STEVEN ADAIR WASN'T ТОО RATTLED AT FIRST. IT WAS LATE 2019, and Adair, the president of the security firm Volexity, was investigating a digital security breach at an American think tank. The intrusion was nothing special.

Adair figured he and his team would rout the attackers quickly and be done with the case-until they noticed something strange. A second group of hackers was active in the think tank's network. They were going after email, making copies and sending them to an outside server. These intruders were much more skilled, and they were returning to the network several times a week to siphon correspondence from specific executives, policy wonks, and IT staff. Adair and his colleagues dubbed the second gang of thieves "Dark Halo" and booted them from the network. But soon they were back. As it turned out, the hackers had planted a backdoor on the network three years earlier-malicious code that opened a secret portal, allowing them to enter or communicate with infected machines. Now, for the first time, they were using it. "We shut down one door, and they quickly went to the other," Adair says.

His team spent a week kicking the attackers out again and getting rid of the backdoor. But in late June 2020, the hackers somehow returned. And they were back to grabbing email from the same accounts. The investigators spent days trying to figure out how they had slipped back in. Volexity zeroed in on one of the think tank's servers-a machine running a piece of software that helped the organization's system admins manage their computer network. That software was made by a company that was well known to IT teams around the world, but likely to draw blank stares from pretty much everyone else-an Austin, Texas, firm called Solar Winds.