HPE breached by Russian APT behind Microsoft hack

HPE suspects that Cozy Bear, a Russian state-sponsored threat actor also known as Midnight Blizzard and Nobelium, breached its network twice in 2020.

HPE disclosed via an 8-K filing that it recently suffered a cyberattack believed to have been perpetrated by Cozy Bear, the Russian nation-state actor behind a recent, similar attack against Microsoft.

In the 8-K, filed with the U.S. Securities and Exchange Commission and published on Jan. 24, HPE said it was notified on Dec. 12 that a "suspected nation-state actor" believed to be Cozy Bear "had gained unauthorized access to HPE's cloud-based email environment." HPE said it consulted external cybersecurity experts and worked to contain and investigate the breach.

Cozy Bear is an advanced persistent threat (APT) group affiliated with the Russian government's Foreign Intelligence Service. Also known as APT29, Midnight Blizzard and Nobelium, the group is known for a variety of high-profile attacks, including the infamous 2020 supply-chain attack against SolarWinds.

According to the filing, HPE believes data was first accessed and exfiltrated by Cozy Bear in May 2023 "from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions." Moreover, the company said it believed the incident was related to earlier activity conducted against HPE earlier in the year.

"While our investigation of this incident and its scope remains ongoing, the Company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023," the filing read. "Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity. Upon undertaking such actions, we determined that such activity did not materially impact the Company."

HPE is cooperating with law enforcement, it said, and will make regulatory notifications as appropriate.

HPE's breach echoes the attack disclosed by Microsoft last week. On Friday, the tech giant said a Russian state-sponsored actor it tracked as Midnight Blizzard breached its network and accessed "a very small percentage of Microsoft corporate email accounts," including members of its senior leadership team. The attack was detected on Jan. 12, though Microsoft said relevant activity began in November 2023.

In the case of Microsoft, Cozy Bear gained access by using a password spray attack against a legacy non-production test tenant account to gain a foothold in the network before elevating privileges. It's unclear how the threat actors used the account to gain access to the email accounts of senior executives.

A spokesperson for HPE shared the following statement with TechTarget Editorial on Thursday, which reiterates much of the information from the 8-K filing.

On December 12, 2023, HPE was notified that a suspected nation-state actor had gained unauthorized access to the company's Office 365 email environment. HPE immediately activated cyber response protocols to begin an investigation, remediate the incident, and eradicate the activity. Through that investigation, which remains ongoing, we determined that this nation-state actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions. We believe the nation-state actor is Midnight Blizzard, also known as Cozy Bear.

The accessed data is limited to information contained in the users' mailboxes. We continue to investigate and will make appropriate notifications as required.

Out of an abundance of caution and a desire to comply with the spirit of new regulatory disclosure guidelines, we have filed a form 8-K with the Securities & Exchange Commission to notify that body, and investors, about this incident. That said, there has been no operational impact on our business and, to date, we have not determined that this incident is likely to have a material financial impact.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.

Next Steps

 Midnight Blizzard accessed Microsoft systems, source code

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing