This is light on one detail: who was running the compromised infrastructure?

Because the US military doesn’t do its own IT anymore. It’s all outsourced to Microsoft and other cloud providers to the tune of tens of billions of dollars. And here, the report conveniently doesn’t mention who let the hackers in.

I’d like to know which sloppy cloud contractor is responsible.

This was already the presumption. The rule of thumb is “assume you’re always being watched.”