There is so much that we do not know about the SolarWind hack and that we are not likely to ever know… But given the scope/cost of the damage one has to ask whether it was in inside job. Attacking the supply chain is a sensible way to accomplish the task and depending how far down the supply chain you go and how deep the pockets. It’s all about money.
In recent years I have interacted with financial services and marketing companies that have outsourced their IT and development to remote Russian and eastern Europeans (read ex-communists) and frankly I have never trusted a single one. They have been smart but crafty.
This is not going to end well.