en.wikipedia.org/wiki/Dmitri_Alperovitch

Silverado’s own website contradicts this date. Its official history page says, "Silverado officially launched in February 2021." Silverado also marked February 23, 2022 as the first anniversary of its public launch, which places the launch in February 2021, not March 2021.

The primary McAfee report is more limited than this sentence suggests. In Appendix B, McAfee says it had "no direct evidence to name the originators of these attacks" and only identified one individual who provided crucial command-and-control infrastructure in Heze City, Shandong. McAfee explicitly added that it did not believe this person was the mastermind behind the attacks. Contemporary reporting on the report likewise says McAfee identified a man in Heze who provided servers used in the operation, not that the operation itself was conclusively traced to him as the attacker.

So this wording overstates the evidence: Song Zhiyue was described as a provider of infrastructure tied to the operation, not as the person to whom the Night Dragon attacks were definitively traced.

This sentence states a disputed causal chain as if the CSRB review established it as fact. But reporting on Microsoft’s own investigation and on the CSRB report says the key-acquisition mechanism was not conclusively determined.

TechCrunch reported that Microsoft said Storm-0558 had compromised a Microsoft engineer’s corporate account and that this was the "most probable mechanism" for how the key was obtained, but Microsoft also said it "cannot be completely certain" because it lacked logs showing the exfiltration.

Coverage of the CSRB report quotes the board as saying that, as of the date of the report, Microsoft did not know how or when Storm-0558 obtained the signing key. In other words, the review did not definitively establish that Storm-0558 broke into Microsoft’s corporate network and stole the key in the way this sentence presents. That may have been a leading theory, but it was not a confirmed finding.