Community bank and credit union trade groups have been monitoring the recently discovered cyberattack on the U.S. government and businesses, as questions remain about the extent of the attack on the financial industry.

“The supply chain attack on the SolarWinds Orion Platform, and the subsequent breaches to its customers, is a significant cybersecurity event that is affecting every corner of the public and private sectors, including community banking,” ICBA President and CEO Rebeca Romero Rainey said in a letter to community bankers.

The hack began as early as March when malicious code was snuck into updates to popular software that monitors computer networks of businesses and governments. The malware, affecting a product made by U.S. company SolarWinds, gave elite hackers remote access into an organization’s networks so they could steal information.

It wasn’t discovered until the prominent cybersecurity company FireEye determined it had been hacked. Whoever broke into FireEye was seeking data on its government clients, the company said – and made off with hacking tools it uses to probe its customers’ defenses.

SolarWinds said in a financial filing that it sent an advisory to about 33,000 of its Orion customers that might have been affected, though it estimated a smaller number of customers – fewer than 18,000 – had actually installed the compromised product update earlier this year.

The ICBA said it would continue to monitor developments and provide its members with information as it became available.

“While there are many pressing priorities right now given the coronavirus pandemic and stimulus negotiations, the security of community banks and their customers is of the utmost importance to ICBA,” Romero Rainey said.

The Credit Union National Association said on its website that it is working with the National Credit Union Administration, the U.S. Treasury Department and other government agencies to determine how the cyberattack affected the financial sector and next steps for credit unions.

CUNA also sent a letter Thursday to the NCUA, the industry’s regulator, asking for transparency and regulatory relief from the agency.

“As the NCUA seeks to determine the attack’s impact on the agency and as credit unions do the same, CUNA members have two concerns,” CUNA President and CEO Jim Nussle wrote in the letter. “First, we urge the agency to be forthright in its communications with credit unions if it is determined that the agency is impacted. Second, we call on NCUA to suspend the collection of data from credit unions until it can ascertain that its systems have not been and are not compromised.”

CUNA added that it suggested the NCUA consider “issuing guidance to alleviate stress from impacted credit unions as the full scope of the data breach will not be known for quite some time due to the complexity and sensitive nature of the attack.”

Massachusetts state government uses some of the software thought to be the main point of entry for this cyberattack and some offices have noticed unusual behavior around their cyber assets. However, administration officials said Thursday that they have not found evidence that state government systems have been compromised to this point.

Auditor Suzanne Bump said her office noticed some out-of-the-ordinary activity on its networks, but no compromises.

“We did a check of our systems. We do use SolarWinds and the Orion platform, and we could detect some, a few instances of, monitoring of our traffic but no intrusion, per se,” Bump said Wednesday afternoon during a meeting of the Comptroller Advisory Board.

Peter Scavotto, the assistant comptroller who serves as the office’s head of risk, said the comptroller’s office uses a different type of SolarWinds software. He said the office’s technical team “looked into that and it is not on the list of software that was attacked.”

On Monday, the Executive Office of Technology Services and Security got in touch with chief information officers from executive branch offices and independent state agencies to share information about this most recent cyberattack. Cabinet Secretary Curt Wood said that EOTSS had “looked for signs of compromise” and “we did not find any at this time.” He also encouraged CIOs to review an advisory from SolarWinds and to make any patches that are necessary as soon as possible.

Bump described the communication as “very reassuring” and Comptroller William McNamara said he “took comfort” in the note from Wood.

“EOTSS is currently putting a plan together to implement software upgrades as recommended by SolarWinds and in line with the advisory sent out by CISA today. Our enterprise network security teams are continuing to monitor for any signs of compromise as a precaution,” an EOTSS spokesperson said in a statement.

The Associated Press and State House News Service contributed to this report.