A Russia-based threat actor known as âCozy Bearâ or âMidnight Blizzardâ has breached some of HPE’s corporate mailboxes, the company revealed on Thursday in a Securities and Exchange Commission (SEC) filing.
âBased on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,â HPE said in the SEC filing.
HPE said that after being notified in June 2023 of unauthorized access to SharePoint files dating back to May 2023 by a known threat actor, it conducted an investigation with external cybersecurity experts and took containment measures.
âWe determined that such activity did not materially impact the Company,â it concluded.
In 2018, Chinese hackers, working for the Ministry of State Security, infiltrated the networks of HPE and IBM and subsequently used this access to launch cyberattacks.
Connection to Microsoft attack
This data breach of HPEâs mailboxes comes days after Microsoft disclosed that inboxes belonging to its senior leadership had been hit by a Russian threat actor believed to be Midnight Blizzard.
Itâs not known if this is part of a coordinated campaign targeting US tech giants, or if it was separate factions within Midnight Blizzard or Cozy Bear working on unique missions.
âBeginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the accountâs permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,â Microsoft said in a blog post disclosing the attack.
Password spraying is a brute-force cyberattack where attackers use a common password across many accounts to bypass lockout policies.
âThe recent Microsoft breach and disclosure brings to the forefront two challenges: no one is immune (even global organizations) from threat actors, and as an organization, it will take time to put any fixes in place,â said Ravi Srinivasan, CEO, of cyber security firm Votiro. âAnytime a threat is detected, itâs costly and time-consuming to remediate.â
Two-factor authentication (2FA) mitigates password-spraying attacks by adding an extra layer of security beyond just the password.
âThis was a pretty simple kind of an attack⦠something that could have been prevented by two-factor authentication, Microsoft was not enforcing its own policies on certain systems,â Alex Stamos, an executive at SentinelOne and former Facebook CSO, told CNBC.
âMicrosoft dumped this out on a Friday in a [securities filing] and a small press release. They clearly wanted to bury the news,â he continued.
Cozy Bear is APT29
While hacker collectives will be known by different nicknames, with different nicknames representing different teams in a broader collective, the official designation for Cozy Bear by US cybersecurity authorities is APT29. It is affiliated with the Russian Foreign Intelligence Services (SVR).
APT29 is believed to be behind the 2020 Solar Winds attack, which led to breaches at the US Treasury, the US Department of Commerce, and other government agencies. The group is also said to be responsible for the 2016 intrusion into the Democratic National Committee’s network.