HPE Discloses Hack By Russian Group Behind Microsoft Email Breach

The company said the attacker is believed to be the group tracked as Midnight Blizzard, a Russian state-sponsored threat actor also held responsible for the recent breach of Microsoft senior executive accounts.

Hewlett Packard Enterprise disclosed that its cloud email environment was compromised in 2023 by the threat actor tracked as Midnight Blizzard, a Russia-aligned hacker group also recently blamed for an attack that compromised senior Microsoft executives.

In a filing with the U.S. Securities and Exchange Commission Wednesday, HPE said it was “notified” on Dec. 12 about the incident, which began in May 2023 and impacted a “small percentage” of staff email accounts.

[Related: CrowdStrike CEO: Microsoft Explanation For Russia Hack Doesn’t Add Up]

In a statement provided to CRN Wednesday, HPE identified its impacted cloud email system as a Microsoft Office 365 environment, and said that the threat actor leveraged a compromised account to access the email environment.

“The accessed data is limited to information contained in the users’ mailboxes,” HPE said in the statement. “We continue to investigate and will make appropriate notifications as required.”

The hacker group behind the attack, also tracked under the name Cozy Bear, was earlier held responsible by Microsoft for the recent high-profile breach of multiple senior executive emails accounts, in the company’s disclosure last Friday.

In response to CRN questions about the likelihood of a connection between the HPE and Microsoft incidents, HPE said in the statement that “we don’t have the details of the incident Microsoft disclosed, so we can’t say the two are linked." The company can “only [say] that the threat actor appears to be the same,” HPE said in the statement.

Microsoft has previously attributed a series of major attacks to Midnight Blizzard, most prominently the widely felt breach of SolarWinds in 2020.

‘Unauthorized Access’

In the SEC filing, HPE said the Dec. 12 notification indicated that the threat actor known as Midnight Blizzard had “gained unauthorized access to HPE’s cloud-based email environment.”

HPE “immediately activated our response process to investigate, contain, and remediate the incident, eradicating the activity,” the IT infrastructure giant said in the filing.

“Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes,” the company disclosed.

The email accounts belonged to individuals within several segments at the company, including its cybersecurity, go-to-market and business units, HPE said.

The Spring, Texas-based company filed the disclosure as part of complying with recently introduced SEC cyberattack disclosure rules for public companies.

“As of the date of this filing, the incident has not had a material impact on the Company’s operations, and the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations,” HPE said in the SEC filing.

A top executive for an HPE partner, who did not want to be identified, told CRN that the incident “only further exacerbates need for greater security vigilance in any organization.”

“Nobody is immune from these attacks,” the executive said. “HPE is taking this seriously and taking action. With the threat actor being the same company that went after Microsoft, it shows that bigger companies are under attack. The bigger the name the bigger the target. HPE appears to be doing the right thing and taking the right steps to protect themselves, the partner community and their customers worldwide.”

In response to questions from CRN Wednesday, HPE added that the company has “observed no additional activity by the actor” since removing the threat actor from its email environment on Dec. 12, “shortly after” receiving the notification about the attack.

“However, we remain vigilant to ensure that the actor remains outside of our environment,” HPE said. Additionally, “we continue to analyze these mailboxes to identify information that could have been accessed by the actor and will make appropriate notifications as required,” the company said.

Connection To Prior Incident

HPE noted in the SEC filing that it also believes the incident is “likely related to earlier activity by this threat actor, of which we were notified in June 2023.” The earlier incident involved “unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023.”

“Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity,” HPE said in the filing. “Upon undertaking such actions, we determined that such activity did not materially impact the company.”

The CEO for another top HPE partner, who did not want to be identified, said he is anxious to see if there are any potential ramifications or impact for his HPE GreenLake customers.

“My question is, how does this impact our collective GreenLake customers?” said the executive. “Do we need to notify them? Are they at risk? The question is, how does this tie into all the GreenLake services and business that we do with HPE. We need to know whether we or our customers are at risk.”

The HPE email breach is a sign that no vendor or company is safe from the ever-growing security threats by bad actors, according to the executive.

“No one can guarantee 100-percent security,” the executive said. “This shows the need for all of us to put in more layers of protection for our customers. You need to make it more difficult for the bad actors. Security is a big issue for all of our customers.”

MFA Needed

Danny Jenkins, the co-founder and CEO of cybersecurity vendor ThreatLocker, told CRN that the breach demonstrates the ongoing need for multifactor authentication (MFA) and tougher endpoint controls to prevent attackers from stealing authentication tokens.

With the HPE incident, “in all probability it was likely the result of a phishing attack or stealing tokens,” Jenkins said in an interview Wednesday.

Ultimately, “this could happen to any email platform. It just happens that Microsoft owns 90 percent of the market,” he said.

The challenge with Office 365 is that MFA is not turned on by default, Jenkins said.

“So if a user is phished, then the attacker gets their password and it is easy to gain access,” he said. “There are also not conditional access policies which means they are not limiting logins from certain IP addresses or certain locations.”