Hewlett Packard Enterprise (HPE) revealed that Russia-linked APT group Midnight Blizzard gained access to its Microsoft Office 365 email system.
Hewlett Packard Enterprise (HPE) revealed that alleged Russia-linked cyberespionage group Midnight Blizzard gained access to its Microsoft Office 365 cloud-based email environment.
The attackers were collecting information on the cybersecurity division of the company and other functions.
The Midnight Blizzard group (aka APT29, SVR group, Cozy Bear, Nobelium, BlueBravo, and The Dukes) along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. The group is known for the SolarWinds supply chain attack that in 2020 hit more than 18,000 customer organizations, including Microsoft.
HPE became aware of the intrusion on December 2023 and immediately launched an investigation into the security breach with the help of external cybersecurity experts.
The investigation revealed that the attackers gained access to the company environment and exfiltrated data since May 2023. The cyberspies compromised a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.
“On December 12, 2023, Hewlett Packard Enterprise Company (the “Company,” “HPE,” or “we”) was notified that a suspected nation-state actor, believed to be the threat actor Midnight Blizzard, the state-sponsored actor also known as Cozy Bear, had gained unauthorized access to HPE’s cloud-based email environment. The Company, with assistance from external cybersecurity experts, immediately activated our response process to investigate, contain, and remediate the incident, eradicating the activity.” reads FORM8-K filing with the U.S. Securities and Exchange Commission (SEC). “Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”
The investigation is still ongoing, however, the IT giant determined that the intrusion is likely linked to another attack conducted by the same APT group, of which they were notified in June 2023.
As early as May 2023, the company discovered unauthorized access to and exfiltration of a limited number of SharePoint files.
“Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity.” continues the company. “Upon undertaking such actions, we determined that such activity did not materially impact the Company.”
The company notified law enforcement and regulatory authorities. HPE emphasized that, as of the filing date, the incident has not significantly affected its operations.
Recently Microsoft warned that some of its corporate email accounts were compromised by the same Russia-linked group Midnight Blizzard. Microsoft notified law enforcement and relevant regulatory authorities.
Microsoft discovered the intrusion on January 12, 2024, and immediately launched an investigation into the security breach. The IT giant confirmed to have locked out the threat actors and mitigated the attack.
“On January 12, 2024, Microsoft (the “Company” or “we”) detected that beginning in late November 2023, a nation-state associated threat actor had gained access to and exfiltrated information from a very small percentage of employee email accounts including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, on the basis of preliminary analysis.” reads a Form 8-K filing with the SEC. “We are examining the information accessed to determine the impact of the incident. We also continue to investigate the extent of the incident.”
The state-sponsored hackers first compromised the company systems in late November 2023 with a password spray attack. Password spraying is a type of brute force attack where the attackers carry out brute force logins based on a list of usernames with default passwords on the application. In this attack scenario, threat actors use one password against many different accounts on the application to avoid account lockouts that would normally trigger when brute forcing a single account with many passwords.
Microsoft revealed that the threat actors gained access to a legacy non-production test tenant account and used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. The attackers gained access to the accounts of members of the company’s senior leadership team and employees in cybersecurity, legal, and other functions. The company also confirmed that attackers have exfiltrated some emails and attached documents. The APT group initially targeted email accounts to gather intelligence on investigations conducted by Microsoft on Midnight Blizzard’s activities. Microsoft is notifying impacted employees.
The company pointed out that the attackers did not exploit any vulnerability in Microsoft products or services. Microsoft also added that there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.
“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.” wrote Microsoft. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”
According to the Form 8-K, the incident has not had a material impact on the Company’s operations.
“The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” reads the document.
Unlike Microsoft, HPE has yet to disclose technical details of the security breach.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft)