I’d argue that many benefit - from my understanding this mainly hit western nations. It could be an enemy State effort. It could be a competitor to Crowdstrike, this is a disaster for them.
Who knows? I ask, not for the reasons I can think of but for the reasons I can’t. This did $billions in damage and caused lots of chaos. Did somebody die because equipment wasn’t available? Quite possibly. It’s no different than asking ‘who would want to commit terrorism?’. It doesn’t have to make sense to you or I.
As a software expert, responsible for safety critical systems, including their cybersecurity, this is so amateurish I’m suspicious. That’s all.
Even if it was not sabotage, clearly we have a vulnerability. One that could be used as an attack vector in the future. There needs to be an investigation into exactly how this happened.
It raises a bigger question too. If the infrastructure is so dependent on Microsoft, how do we make this doesn’t happen again? Accident or not.
Do not deploy a "mandatory update" to your entire customer base at the same time. Do it in small sample cohorts and pause to see if there is trouble. Pay very close attention to those cohorts. Continue if there is no trouble.
If something nasty slips through your test procedures, at least this will minimize the damage, and give organizations time to recover.