The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into US federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19, people involved in the investigation told Reuters.
The hacks were widely publicised after their discovery late last year, and American officials have blamed Russia’s SVR foreign intelligence service, which denies the activity. But little has been disclosed about the spies' aims and successes.
The reluctance of some publicly traded companies to explain their exposure has prompted a broad Securities and Exchange Commission inquiry.
The campaign alarmed officials with its stealth and careful staging. The hackers burrowed into the code production process at SolarWinds, which makes widely used software for managing networks.
The group also took advantage of weaknesses in Microsoft's methods for identifying users in Office 365, breaching some targets that used Microsoft software but not SolarWinds.
It has been previously reported that the hackers breached unclassified Justice Department networks and read emails at the departments of treasury, commerce and homeland security. Nine federal agencies were breached. The hackers also stole digital certificates used to convince computers that software is authorised to run on them and source code from Microsoft and other tech companies.
One of the people involved said that the exposure of counter-intelligence matters being pursued against Russia was the worst of the losses.
Spokespeople for the Justice Department and White House did not respond Wednesday to requests for comment.
In an annual threat-review paper released on Thursday, Microsoft said the Russian spies were ultimately looking for government material on sanctions and other Russia-related policies, along with US methods for catching Russian hackers.
Cristin Goodwin, general manager of Microsoft’s Digital Security Unit, said the company drew its conclusions from the types of customers and accounts it saw being targeted. In such cases, she told Reuters, “You can infer the operational aims from that.”
Others who worked on the government’s investigation went further, saying they could see the terms that the Russians used in their searches of U.S. digital files, including “sanctions.”
Chris Krebs, the former head of U.S. cyber-defence agency CISA and now an adviser to SolarWinds and other companies, said the combined descriptions of the attackers’ goals were logical.
“If I’m a threat actor in an environment, I’ve got a clear set of objectives. First, I want to get valuable intelligence on government decision-making. Sanctions policy makes a ton of sense,” Krebs said.
The second thing is to learn how the target responds to attacks, or "counter-incident response," he said, "I want to know what they know about me so I can improve my tradecraft and avoid detection.”
(Reporting by Joseph Menn and Christopher Bing; editing by Peter Henderson)