There are plenty of lessons for attackers herr in this case study, but not much new for defenders. It just reenforces things security professionals have been saying for a long time.
1. Building from source is safer than downloading binaries
2. Reproducable builds can help spot differences between the source and binaries
3. Don't run services that you don't actually need (like SSH)
4. Make your systems as stripped down as possible (complexity is the enemy)
5. Compartmentalizatiton
6. Set up automated detection and response
7. Network segmentation (e.g. only allow SSH from an admin network)
8. It's better to build software that doesn't require constant updates (so there's more time to give scrutiny to the changes that are made)
9. Source code scanners and manual audits are good but not sufficient on their own
10. Many backdoors will have side channels (like performance issues) that can give them away. However, because of constant updates and complexity of most software nowadays, there are tons of other opportunities of performance issues to crop up. Also, some backdoors don't have a noticable performance impact
It's all pretty standard stuff here.