Some details in the story are lacking. First, it’s not clear whether the stolen credentials were ever used successfully. That would give access to personal data, something which is not mentioned. That might be because the site is separately reported to have been using multi-factor authentication (MFA), an additional barrier against attack that all public-facing government websites now use. Depending on how stealthy the attackers were, a deeper compromise would also have been likely to have left a forensic trace somewhere in log files.
An important question is who stole the credentials, and whether this was opportunistic or part of a larger campaign. The assumption is that the attacks were carried out by criminals with links to the Russian government, even though the evidence for such links remains circumstantial.
However, if Russian intelligence did benefit, it was incredibly sloppy to allow the credentials to be posted to a dark web site where they must have known the loss would eventually be detected.
