Hewlett Packard Enterprise (HPE) is investigating a potential security breach after the infamous threat actor IntelBroker claimed they stole the company’s source code.
“HPE became aware on January 16 of claims being made by a group called IntelBroker that it was in possession of information belonging to HPE,” the company stated in a statement.
In 2015, HPE branched off from Hewlett-Packard Company (HP) to focus on enterprise products such as servers, networking, and cloud solutions, while HP retained the consumer division.
IntelBroker is linked to various data breaches, including AMD, DC Health Link, Home Depot, Europol, Cisco, Nokia, ZScaler, Acuity, Ford, State Department, and General Electric Aviation.
The DC Health Link data breach impacted U.S. House members and their families, prompting a Congressional hearing.
Meanwhile, HPE says the alleged data breach did not affect its operations or leak customer information.
Security breach compromises HPE’s source code
IntelBroker said they accessed the HPE’s source code, including private Github repositories, Docker builds, SAP Hybris, and certificates, including public and private keys.
They also stole product source code, including Zerto and iLO. The HPE source code heist also exposed user data in the form of old user PII for previous product deliveries. Other details pilfered during the HPE security breach include access credentials, including API access, Github, and self-hosted Github.
Although the attackers did not disclose how they gained access to HPE’s software development infrastructure, they claimed to have maintained access for two days and accessed some services.
“We’ve been connecting to some of their services for about 2 days now,” IntelBroker stated.
In response, HPE said it immediately activated cyber response protocols, deactivated the compromised credentials, and launched an investigation to determine the nature and scope of the potential security breach.
“HPE immediately activated our cyber response protocols, disabled related credentials, and launched an investigation to evaluate the validity of the claims,” said HPE.
However, the security breach did not affect HPE’s business operations, thus ruling out a ransomware attack. The tech giant also believes that customer information was not involved.
“There is no operational impact to our business at this time, nor evidence that customer information is involved,” HPE stated.
It remains unclear if this security breach is linked to a February 2024 leak in which IntelBroker listed HPE’s credentials, including CI/CD credentials and access tokens.
“Development environments are often managed with lower security standards than production, as they are typically isolated from the internet, despite holding critical assets like source code, credentials, and information about what systems the mirror in production interacts with,” noted Victor Acin, Head of Threat Intel at Outpost24.
The enterprise giant has not disclosed receiving any ransom demands, as the threat actor seemingly intends to monetize the security breach by selling the stolen source code, data, and access to other hackers.
Security breaches in the past
Nonetheless, HPE has previously suffered numerous security breaches. In December 2023, the enterprise giant told the U.S. Securities and Exchange Commission (SEC) that Russian state-sponsored threat actors Midnight Blizzard, APT29, or Cozy Bear breached its email systems and exfiltrated data from some mailboxes.
The security breach that began in May 2023 was discovered in June, giving the cybercriminals adequate time to discover valuable information.
In 2021, HPE reported a security breach involving the Chinese threat actor APT10, which compromised customer devices.
Earlier in 2018, another security breach compromised HPE’s Aruba Networks, granting the attacker access to monitored devices.
