Hewlett-Packard Enterprise (HPE) has revealed that a Russian government-backed hacker group, Midnight Blizzard, broke into its system, gaining access to its cloud-based email environment.
The company disclosed this on Thursday in a corporate filing with the U.S. Securities and Exchange Commission (SEC). This followed a similar incident by the same group announced last week by software giant Microsoft.
HPE said it was notified of the attack by nation-state hackers, also known as Cozy Bear, on December 12, 2023.
The company said it immediately activated its response process to investigate, contain, and remediate the incident, eradicating the activity with assistance from external cybersecurity experts.
Hackers gained access in May
Providing further insights into the attack, HPE in the SEC filing said:
- “Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.
- “While our investigation of this incident and its scope remains ongoing, the company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorised access to and exfiltration of a limited number of SharePoint files as early as May 2023.
- “Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity. Upon undertaking such actions, we determined that such activity did not materially impact the company.”
The company said it has notified and is cooperating with law enforcement agents while also assessing its regulatory notification obligations.
HPE added that it would make notifications as appropriate based on its investigation findings.
- “As of the date of this filing, the incident has not had a material impact on the company’s operations, and the company has not determined the incident is reasonably likely to materially impact the company’s financial condition or results of operations,” the company said.
Attack on Microsoft
Just last week, Microsoft also reported in a SEC filing a breach of its system by the same Russian government-backed Midnight Blizzard, with a warning that all organisations now face risks from well-resourced nation-state threat actors.
Microsoft disclosed that the hackers gained access to some of its corporate email accounts, including members of its senior leadership team and employees in its cybersecurity, legal, and other functions.
It said the attackers were able to exfiltrate some emails and attached documents from its system.
According to Microsoft, the hackers who gained access to its system from late November 2023 until they were discovered on January 12, 2024, were targeting information relating to them on Microsoft’s system.
The hackers
Midnight Blizzard, also known as APT29, is a group of hackers reputedly associated with the Russian Foreign Intelligence Service (SVR).
The group’s existence was first noted in 2008 following the discovery of MiniDuke malware samples, as reported by cybersecurity firm Kaspersky.
APT29 is notorious for its advanced cyber-warfare techniques, primarily serving the intelligence objectives of the SVR.
Over the years, Midnight Blizzard has been linked to several prominent cyberattacks. Its targets have included a private research institute based in Washington DC, in 2014, the Pentagon in 2015, the Democratic National Committee and various US think tanks in 2016, and governmental bodies in Norway and the Netherlands in 2017.