The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19, people involved in the investigation have said.
The hacks were widely publicized after their discovery late last year, and American officials have blamed Russia’s SVR foreign intelligence service, which denies the activity. But little has been disclosed about the spies’ aims and successes.
The reluctance of some publicly traded companies to explain their exposure has prompted a broad Securities and Exchange Commission inquiry.
The campaign alarmed officials with its stealth and careful staging. The hackers burrowed into the code production process at SolarWinds, which makes widely used software for managing networks.
The group also took advantage of weaknesses in Microsoft’s methods for identifying users in Office 365, breaching some targets that used Microsoft software but not SolarWinds.
It has been previously reported that the hackers breached unclassified Justice Department networks and read emails at the departments of treasury, commerce and homeland security.
Nine federal agencies were breached. The hackers also stole digital certificates used to convince computers that software is authorized to run on them and source code from Microsoft here and other tech companies.
One of the people involved said that the exposure of counter-intelligence matters being pursued against Russia was the worst of the losses.
In an annual threat-review paper released on Thursday, Microsoft said the Russian spies were ultimately looking for government material on sanctions and other Russia-related policies, along with U.S. methods for catching Russian hackers.
Others who worked on the government’s investigation went further, saying they could see the terms that the Russians used in their searches of U.S. digital files, including “sanctions.”
Chris Krebs, the former head of U.S. cyber-defense agency CISA and now an adviser to SolarWinds and other companies, said the combined descriptions of the attackers’ goals were logical.
The second thing is to learn how the target responds to attacks, or “counter-incident response,” he said: “I want to know what they know about me so I can improve my tradecraft and avoid detection.”