As near as I can tell from the Markoff article, the infiltration was made possible by run-of-the-mill phishing attacks. (Markoff says it's called "whaling" when it's directed at specific high-level targets. I've never heard of that, and don't really see any substantive difference.)
If so, then technically speaking there's probably nothing really new here. What seems interesting to me is:
- Obviously, the vast scale, the sensitivity of the targets, and the potential political impact.
- The operation has not been publicly revealed by government agencies (FBI sez "no comment"), but rather by Nart Villeneuve et al. at the University of Toronto.
- Phishing is evidently effective enough to make widespread infiltration like this possible. Sure, there are more sophisticated things that attackers could do, and of course most users should know better than to blindly click links in their email. But here we are, phished to death all over the world. Why should an attacker go to any more trouble?
I wonder how much security improvement would be gained if Thunderbird & Outlook disabled the automatic opening of a browser when you click on a link in email, and made us go back to the old days of copying & pasting links. Would users be more careful if they could more easily see what they're doing?