Microsoft says that the SolarWinds supply chain compromise was to pivot to the victims’ cloud assets after deploying the Sunburst/Solorigate backdoor on their local networks. Microsoft also detailed the step by step procedure used by the attackers to gain access to their victims’s cloud assets. The attackers’ ultimate goal was to generate SAML (Security Assertion Markup Language) tokens to forge authentication tokens allowing access to cloud resources. The NSA also shared mitigation measures against unauthorized cloud access which require making it difficult for threat actors to access to on-premise identity services.
Source: https://www.bleepingcomputer.com/news/security/microsoft-solarwinds-hackers-goal-was-the-victims-cloud-data/