The suspected Russian hackers who compromised computer networks of US federal agencies last year using SolarWinds and Microsoft software stole information related to counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19, Reuters reported, citing people familiar with the investigation into the hack.
In early 2020, the hackers secretly infiltrated Texas-based SolarWind's systems and added malicious code into the company's Orion monitoring and management platform, used by tens of thousands of companies.
The threat actor also "took advantage of weaknesses in Microsoft's methods for identifying users in Office 365, breaching some targets that used Microsoft software but not SolarWinds."
While the breach received a great deal of press coverage, little has been shared about the attackers’ goals and successes.
One of the people involved told Reuters that the exposure of counter-intelligence matters being pursued against Russia was the worst of the losses.
In its annual digital defense report Microsoft said that the hackers behind the breach were interested in government material on sanctions and other Russia-related policies, along with U.S. methods for catching Russian hackers.
Microsoft drew its conclusions from the types of customers and accounts it observed being targeted, Cristin Goodwin, general manager of Microsoft’s Digital Security Unit told Reuters.
Chris Krebs, the former head of US cyber-defense agency CISA, said the combined descriptions of the attackers’ goals were logical.
"If I’m a threat actor in an environment, I’ve got a clear set of objectives. First, I want to get valuable intelligence on government decision-making. Sanctions policy makes a ton of sense," Krebs said.
He also said that the second thing to learn is how the target responds to attacks.
"I want to know what they know about me so I can improve my tradecraft and avoid detection," he said.