Hackers of SolarWinds Stole Data On US Sanctions Policy, Intelligence Probes

An anonymous reader writes: The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19, people involved in the investigation told Reuters. The hacks were widely publicized after their discovery late last year, and American officials have blamed Russia’s SVR foreign intelligence service, which denies the activity. But little has been disclosed about the spies’ aims and successes. […] It has been previously reported that the hackers breached unclassified Justice Department networks and read emails at the departments of treasury, commerce and homeland security. Nine federal agencies were breached. The hackers also stole digital certificates used to convince computers that software is authorized to run on them and source code from Microsoft(MSFT.O) and other tech companies. One of the people involved said that the exposure of counter-intelligence matters being pursued against Russia was the worst of the losses.

In an annual threat-review paper released on Thursday, Microsoft said the Russian spies were ultimately looking for government material on sanctions and other Russia-related policies, along with U.S. methods for catching Russian hackers. Cristin Goodwin, general manager of Microsoft’s Digital Security Unit, said the company drew its conclusions from the types of customers and accounts it saw being targeted. In such cases, she told Reuters, “You can infer the operational aims from that.” Others who worked on the government’s investigation went further, saying they could see the terms that the Russians used in their searches of U.S. digital files, including “sanctions.”

Chris Krebs, the former head of U.S. cyber-defense agency CISA and now an adviser to SolarWinds and other companies, said the combined descriptions of the attackers’ goals were logical. “If I’m a threat actor in an environment, I’ve got a clear set of objectives. First, I want to get valuable intelligence on government decision-making. Sanctions policy makes a ton of sense,” Krebs said. The second thing is to learn how the target responds to attacks, or “counter-incident response,” he said: “I want to know what they know about me so I can improve my tradecraft and avoid detection.”