Hewlett Packard Enterprise (HPE) revealed in an SEC filing on Wednesday that its cloud email environment was targeted by hackers believed to be sponsored by the Russian government.
The company said it was notified on December 12 that a threat group identified as Midnight Blizzard and Cozy Bear had hacked into its cloud-based email environment.
HPE said it kicked out the attackers, but its investigation revealed that the threat actor gained access to its systems and started exfiltrating data in May 2023. The hackers targeted “a small percentage of HPE mailboxes” used by staff in cybersecurity, go-to-market, business segments, and other departments.
“While our investigation of this incident and its scope remains ongoing, the Company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023,” HPE said. “Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity.”
The company does not expect the incident to have a material impact. Public companies are now required to disclose any material breach to the SEC within four business days of discovering that the incident has material impact.
Microsoft reported last week that the Midnight Blizzard group had hacked into its corporate network and stole emails and attachments from senior executives, as well as from cybersecurity and legal department staff.
The hackers had used a password spray attack to compromise a legacy non-production test tenant account, and then leveraged that account’s permissions to access corporate emails. The tech giant said the attack was launched in late November 2023 and detected on January 12, 2024, and it impacted a “very small percentage” of email accounts.
It’s unclear if Microsoft and HPE were targeted as part of the same or separate campaigns.
Midnight Blizzard is a cyberespionage-focused group also known as APT29, Cozy Bear, The Dukes, Nobelium, and Yttrium, and it’s one of the most active and most sophisticated threat actors linked to the Russian government. It has been blamed for the 2020 SolarWinds attack and other high-profile attacks.
Several government agencies reported in December that the cyberspy group had been exploiting a TeamCity vulnerability on a large scale.
In August, Microsoft warned that the group had been abusing its Teams chat app to phish for credentials at targeted organizations.
Related: HPE Says Customer Data Compromised in Aruba Data Breach
Related: Microsoft: Iranian APT Impersonating Prominent Journalist in Clever Spear-Phishing Attacks
Related: Russia-Linked APT29 Uses New Malware in Embassy Attacks