Cloud Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
HPE Fingers Russian State Hackers for Email Hack
'Midnight Blizzard' Was Inside Company Network for 7 MonthsHewlett Packard Enterprise in an after-hours regulatory filing disclosed that suspected Russian state hackers had gained access to corporate email inboxes for more than seven months.
See Also: MDR Executive Report
The Silicon Valley stalwart notified investors that hackers suspected to be from the Russian Foreign Intelligence Service had first penetrated its cloud-based email service in May 2023.
Not until Dec. 12 did the company detect the breach after receiving a notification, it said. The regulatory filing says the hackers are "believed" to be "Midnight Blizzard," also known as APT29 and CozyBear.
Microsoft only days ago disclosed that the same hackers had penetrated the inboxes of senior company leadership. The White House linked the threat actor to Moscow in 2021 after its hackers inserted a backdoor into IT infrastructure software developed by SolarWinds (see: Microsoft: Russian Hackers Had Access to Executives' Emails).
The hackers in this latest incident found their way into a "small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions," the company said.
The regulatory filing said the email hack is likely related to earlier activity by the same group of hackers that the company learned about in June 2023. That activity involved unauthorized access to the HPE SharePoint server in May 2023 and "exfiltration of a limited number of files."
Threat intelligence firm Mandiant in August 2022 warned that the Russian hacking group was paying particular attention to Microsoft 365, the ubiquitous suite of productivity and cloud storage apps. Midnight Blizzard used virtual machines in the Microsoft cloud to hide its tracks (see: Russia's APT29 Targeting Microsoft 365 Users).
The federal government as early as 2018 noticed the group shifting toward targeting cloud resources, "particularly e-mail" and relying less on malware, according to an April 2021 advisory.
A company representative said it decided to disclose the hack "once our investigation led us to conclude, out of an abundance of caution, that doing so would be in compliance with the spirit of new SEC regulations regarding cyber incidents." U.S. Securities and Exchange Commission voted last year for regulations that took effect in December requiring large companies that publicly traded corporations to disclose "material cybersecurity incidents" within four business days of determining materiality.*
HPE said the incident so far has had no material effect on its operations, but the potential effect on its financial condition remains to be seen. The company finished the trading day up by 1.68%, but in after-hours trading, it is down by 1.02%. HPE made news earlier this month when it announced a $14 billion acquisition deal with networking equipment maker Juniper Networks, touting the deal as a way to position the combined companies for the burgeoning artificial intelligence market (see: HPE to Buy Juniper for $14B to Boost AI and Networking).
*Updated Jan. 25, 2024 00:35 UTC: Adds comment from HPE.
With reporting by Information Security Media Group's Michael Novinson in Massachusetts