This is extremely common. 6 months is not that long, even among competent companies that have good security. You usually hear about it from the FBI. I think the FBI forwards tips from agencies like the NSA, but they don’t tend to give much information.
It may be common, but I'll disagree it's common for companies with "good security." Password spraying doesn't work with good 2FA, nor sane login limits. I set off a flag anytime logging in from a new IP, for example.
2FA and login limits alone aren't likely to stand in the way of state-sponsored hackers.
Lots of companies still haven't upgraded to zero trust / BeyondCorp AuthN, and lots of companies don't have reproducible signed build artifacts from CI/CD with automatic policy enforcement regarding the properties that those build artifacts must have before they can be deployed.
High-profile companies that think VPNs and networking rules are a security solution have probably already been hacked and just don't know it yet.
Citrix has had 2FA for logins outside the corporate network for years. They also lock your account after 3 consecutive failed login attempts (even internally).
Not saying Citrix security is perfect, but protecting yourself from this kind of attack is certainly not as simple as "Add 2FA and limit login attempts".
