It’s a hell of a lot wider than one specific sloppy contractor. They basically compromised everybody (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream, the system for CALEA requests, routers made by Cisco, phones belonging to Trump and Vance… basically, everything.) Viasat is on that list, but they’re no more particularly sloppy than any other contractor in that space. Basically it would have been truly remarkable if some Guard agency had managed to hire a cloud contractor that was able to resist it.

who was running the compromised infrastructure?

The DoD report doesn’t get into it. It repeatedly references “a US state’s Army National Guard network”. Which, is probably not the same network as the US Army’s network. It’s also likely to be an Unclassified network; so, it’s not quite as bad as it could be. But also not great.

the US military doesn’t do its own IT anymore. It’s all outsourced to Microsoft and other cloud providers to the tune of tens of billions of dollars.

While some of it is on Microsoft’s and other cloud providers, there is also a lot which isn’t. On top of that, much of the stuff “in the cloud” is all IaaS or PaaS. So, while MS, et al. run the hardware, the operating systems and software is often run by the IT departments for the various branches and programs. These IT departments will be some mix of US Civilian State or Federal employees and then a lot of IT contractors. Generally, the people doing the actual IT work are contractors working for companies like Boeing or Booz-Allen-Hamilton.

I’d like to know which sloppy cloud contractor is responsible.

If you want to find the people responsible, find the managers who have programs on the “state’s Army National Guard network” (as the report puts it) and figure out which one of them either authorized some sort of “shadow IT” project, or just threw a hissy-fit every time the IT folks tried to roll out patches. That’s often how these things go. The report mentions multiple CVEs which were exploited, and I’d place a pretty large bet that they were unpatched in the environment because some manager whined loud enough to get his assets exempted from patching. All too often these types of vulnerabilities hang out there far too long because some department wants high availability on their stuff, but aren’t willing to pay for high availability. So, they bitch and moan that they should be exempt from regular patching. And upper management isn’t willing to back IT and say, “no you aren’t special, you get patched like everyone else”.

Boots into secure bootstrap

npm install

I’m not sure that the Ken Thompson type of backdoor is even on the radar as an urgent enough threat to be worth worrying about at this point. I mean, it’s fine, but the boot-i-est of bootstraps at this point is the network hardware that’s running the network you are trying to secure, and most of it is riddled with holes which are likely to largely undo whatever you’re trying to do sad to say.

They don’t have friends but what they do have is strategic alliances with other nations to share data and this detrimentally affects those nations too. So there’s that.