Hewlett Packard Enterprise (HPE) recently filed a mandatory SEC disclosure indicating that Russian hackers breached its cloud email environment, and that the incident was possibly linked to a prior internal email security breach that took place in 2023.
The security breach is not known to be related to the more recent announcement from Microsoft that Russian hackers had penetrated the inboxes of its senior leadership. It instead appears to have a connection to a May 2023 attack that the company had previously disclosed. The incident does also involve “Midnight Blizzard,” however, and shares some similarities to the more recent Microsoft attack.
HPE reports compromise of “small percentage” of senior leadership, cybersecurity accounts in security breach
As with the more recent Microsoft incident, the Russian hackers appear to have focused on a “small percentage of HPE accounts” belonging to employees that might have information on the group, such as senior leadership and cybersecurity. However, the attackers also compromised the accounts of members of the legal team, business and other departments.
The incident took place on December 12, according to the SEC filing. HPE believes it is related to a prior security breach that took place in May 2023, which the company also believes involved Midnight Blizzard and resulted in a similar compromise of some limited amount of employee email accounts. That incident was disclosed in June 2023, shortly ahead of Microsoft’s disclosure of a widespread compromise of Office 365 email accounts. However, the Microsoft incident involved Chinese state-sponsored hackers and is not known to be linked to either of HPE’s email breaches as of yet. A “limited” amount of SharePoint files were exfiltrated from mailboxes during that breach.
Few details are available about the more recent HPE security breach, but the company says that it does not expect the incident to have a material impact. However, it is not clear if this means that the Russian hackers were able to dwell within the company environment from May to December. A prior statement from HPE indicated that the company “took containment and remediation measures intended to eradicate the activity.” A spokesperson did tell media sources that the compromised email accounts were running Microsoft software.
While it is not yet known if there is some direct share of responsibility in this case, any mention of Microsoft’s name in connection with a high-profile breach is not going unnoticed by the US government, as Lior Yaari (CEO and co-founder of Grip Security) observes: “Microsoft and HPE are two of the largest enterprise IT companies in the world. A data breach is an unequivocal testament to the fact that conventional cybersecurity defense measures are overcome far too often. This breach serves as a stark reminder that no business – irrespective of its size, industry, or location – is immune to the relentless machinations of hackers. The corporate world, especially organizations holding pivotal information, need to really assess how to prevent these attacks. Companies should readily recognize, respond and reassess their defense mechanisms to keep up with the pace of evolving threat vectors. Negligence in these regards could potentially mean willingly setting the stage for the next major cyberspace catastrophe.”
Roger Grimes, data-driven defense evangelist for KnowBe4, notes that some sort of outdated legacy system that can no longer adequately be secured is usually at the root of “unthinkable” breaches: “Instead of pointing fingers and asking why Microsoft had a lesser protected legacy system still in existence, realize that this is true of most mid-size to large organizations. I rarely talk to a cybersecurity defender who isn’t complaining about one or more legacy systems, with huge security flaws, that they are forced to support. The company refuses to get rid of them. Instead, the best they can do is implement offsetting defenses to help mitigate some of the risk. So instead of pointing fingers, ask yourself if you have lesser protected legacy systems and if you’re doing all you can to mitigate the risk.”
Russian hackers more active during election years
“Midnight Blizzard,” also known as Cozy Bear in years past, has been consistently active for well over a decade. The Russian hackers became notorious due to various election interference attempts in 2015 and 2016, but their single most damaging security breach would have to be the SolarWinds attack that ran from 2019 to 2020. That attack was emblematic of Midnight Blizzard’s approach; dwell quietly and limit activity to maintain access to a target for a long period, and focus only on specific high-value information to help reduce detection. That breach could have potentially impacted tens of thousands of SolarWinds’ downstream customers, but in the end the Russian hackers only took information from about 100 companies (mostly defense contractors) and about 10 federal agencies during the estimated year-and-change that they had access.
HPE already has some history as a target for state-sponsored threat actors, but not necessarily Russian hackers. In late 2018 a team believed to be affiliated with China’s Ministry of State Security breached both HPE and IBM at the same time. This was part of the more long-term “Cloudhopper” campaign aimed at stealing corporate secrets from technology companies, though relatively few that suffered security breaches ended up being publicly named.
State-sponsored Chinese and Russian hackers are expected to be highly active during the election period, but some security analysts say that they have given up on the idea of hacking local voting systems as it would be too difficult to pull off successfully without being detected.
Instead, these security breaches are most likely to be to gather intelligence that can be used for influence campaigns. Russia has long been thought to support Republican candidates in the belief that they are more likely to cut aid to Ukraine, though the party has internal division on this issue. Conversely, Chinese hackers have typically been thought to support Democrats as the government believes it will see more foreign policy benefit from the party. But the picture is now far from clear with tensions high over Taiwan.
In December, the US and UK governments jointly accused Russian hackers of an eight-year global hacking spree directed at British lawmakers, journalists and NGOs. This campaign was primarily aimed at influencing UK politics but also included at least three attempts on US nuclear research labs and at least one successful security breach of the Department of Energy. Officials believe that this campaign is still active and has a special focus on breaking into email accounts of high-profile victims.
Sarah Jones, Cyber Threat Intelligence Research Analyst at Critical Start, provides further insight into the expected objectives of these state-sponsored hacking teams: “The compromise of HPE by the SolarWinds hackers, commonly known as “Nobelium,” following their attack on Microsoft, can be perceived differently based on various perspectives. From one standpoint, Nobelium’s history of persistent and targeted attacks against high-profile organizations, particularly those involved in critical infrastructure and technology, makes the targeting of both HPE and Microsoft consistent with their established pattern. Additionally, the fact that many organizations still have unpatched vulnerabilities from the SolarWinds attack years ago leaves them susceptible to further exploitation by Nobelium. The group’s apparent adaptation of tactics, such as using a simpler password spraying technique in the Microsoft attack, suggests ongoing efforts to overcome previous mitigation measures. On the other hand, the HPE compromise presents surprising elements. HPE and Microsoft took different approaches to securing their cloud-based email environments, and the breach at HPE appeared broader, involving more departments and lasting longer. This raises questions about potential security gaps specific to HPE’s system. While Nobelium’s targeting alignment implies a larger picture, the distinct goals and motives for each attack might differ, requiring more details to determine if they are part of a coordinated campaign or separate attempts for intelligence gathering or operational disruption. The specifics of each attack and their connections are still emerging, adding complexity to the overall understanding.”
Ariel Parnes, former Head of the Israeli Intelligence Service Cyber Department, and COO and Co-Founder at Mitiga, suggests that the recent chain of breaches is a call for major tech outfits to provide their customers with better logging capability: “This recent security incident at Hewlett Packard Enterprise underscores the imperative for organizations to prioritize the collection and analysis of security logs. Specifically, through the lens of unified audit logs within the M365 ecosystem, these logs are instrumental in providing insights into user activities and potential malicious actions. The importance of promptly detecting and responding to such incidents is highlighted by the HPE case, where unified audit logs were probably used in revealing unauthorized access to sensitive SharePoint files and manipulations within mailboxes. Retaining these logs over an extended period equips organizations with the ability to retroactively investigate incidents, aiding in identifying the entry point and duration of a threat actor’s presence. In the face of persistent Business Email Compromise (BEC) threats, the HPE incident and other significant M365 BEC instances, serves as a stark reminder that threat actors can infiltrate systems and operate undetected for an extended duration. Continuous BEC threat hunts, fueled by the analysis of unified audit logs, empower organizations to proactively search for indicators of compromise, facilitating the discovery and neutralization of potential threats before they escalate.”
And Hen Amartely, Director of Product Marketing at DoControl, sees the Microsoft and HPE incidents as a call for organizations to carefully re-evaluate the state of their cloud security: “Cloud-based productivity tools have many advantages, but typically security is not one of them. In this case, it seems that vulnerabilities in a cloud based email platform were used by attackers to gain access to mailboxes and potentially other collaborative content belonging to key people in HPE, much like was disclosed earlier this month about Microsoft. The cloud genie is out the bottle, and isn’t going back in. The best option for organizations using these kinds of Software as a Service productivity tools is to invest in security tooling that can monitor these platforms for anomalous and irregular acts or behavior, and then alert on and/or remediate those actions.”
