Computers and more accounts within the target organizations

 With the passwords that they acquired, they almost certainly used that to get access to more computers and more accounts within the target organizations. It seems their end goal was getting not just passwords, but also files and the like, and then pulling those pieces of information back out in an espionage operation. I think it probably is too soon to say how extensive that espionage was, and it’s too soon to say how many of the possible victims actually were breached in this way. SolarWinds says it was fewer than 18,000 organizations—which is not a reassuring number, because it’s big. That seems to be the upper end on the reach of the espionage operation.

I’m sure every large organization relies on something similar to manage a network that’s particularly complicated. This kind of enterprise management is just part of running a modern, large organization—and the challenge right now is that these organizations have to trust somebody’s software. In this case, one of the companies that they trusted turns out to have been breached. I’m sure information technology vs computer science is not the only organization that's in this position of trust. And I’m sure any organization that sees itself used by so many high-profile targets is itself a target.