Some particulars within the story are missing. First, it’s not clear whether or not the stolen credentials had been ever used efficiently. That may give entry to non-public knowledge, one thing which isn’t talked about. That is likely to be as a result of the positioning is individually reported to have been utilizing multi-factor authentication (MFA), an extra barrier towards assault that every one public-facing authorities web sites now use. Relying on how stealthy the attackers had been, a deeper compromise would even have been more likely to have left a forensic hint someplace in log recordsdata.
An vital query is who stole the credentials, and whether or not this was opportunistic or half of a bigger marketing campaign. The idea is that the assaults had been carried out by criminals with hyperlinks to the Russian authorities, despite the fact that the proof for such hyperlinks stays circumstantial.
Nevertheless, if Russian intelligence did profit, it was extremely sloppy to permit the credentials to be posted to a darkish website online the place they should have identified the loss would finally be detected.