The threat actor used the stolen key to breach 25 organizations, including US government agencies