Christopher Bing and Joseph Menn

SAN FRANCISCO (Reuters) – The suspected Russian hackers who used SolarWinds and Microsoft (NASDAQ:) software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19, people involved in the investigation told Reuters.

The hacks were widely publicized after their discovery late last year, and American officials have blamed Russia’s SVR foreign intelligence service, which denies the activity. However, little information has been released about the goals and achievements of the spy.

The reluctance of some publicly traded companies to explain their exposure has prompted a broad Securities and Exchange Commission inquiry https://www.reuters.com/technology/exclusive-wide-ranging-solarwinds-probe-sparks-fear-corporate-america-2021-09-10.

Officials were alarmed by the campaign’s stealthy and carefully staged events. SolarWinds produces widely used software to manage networks.

This group took advantage of Microsoft’s weaknesses when it comes to identifying Office 365 users. They broke into some targets using SolarWinds, but Microsoft software.

The hackers accessed unclassified Justice Department networks, read email at departments of commerce and homeland security and breached their passwords. The hackers hacked into nine federal agencies. The hackers also stole digital certificates used to convince computers that software is authorized to run on them and source code from Microsoft https://www.reuters.com/business/solarwinds-hackers-studied-microsoft-source-code-authentication-email-2021-02-18 and other tech companies.

One person involved stated that Russia’s exposure to counter-intelligence issues was one of their worst losses.

On Wednesday, White House and Justice Department spokespersons did not reply to our requests for comment.

Microsoft released an annual threat review paper on Thursday stating that Russian spy were looking for information on the government and Russia-related policies. They also wanted to know about U.S. techniques for catching Russian hackers.

Cristin Goodwin, general manager of Microsoft’s Digital Security Unit, said the company drew its conclusions from the types of customers and accounts it saw being targeted. In such cases, she told Reuters, “You can infer the operational aims from that.”

Others who worked on the government’s investigation went further, saying they could see the terms that the Russians used in their searches of U.S. digital files, including “sanctions.”

Chris Krebs, the former head of U.S. cyber-defense agency CISA and now an adviser to SolarWinds and other companies, said the combined descriptions of the attackers’ goals were logical.

“If I’m a threat actor in an environment, I’ve got a clear set of objectives. The first is to gain valuable intelligence about government decision-making. Sanctions policy makes a ton of sense,” Krebs said.

The second thing is to learn how the target responds to attacks, or “counter-incident response,” he said: “I want to know what they know about me so I can improve my tradecraft and avoid detection.”