A group of government-backed hackers used an almost six-year-old Telerik vulnerability to break into a US federal agency’s Microsoft IIS web server, underscoring the importance of patching.