HPE Hit By Midnight Blizzard Attack: 5 Things You Need To Know

Here are the top five things you need to know about the Midnight Blizzard attack on HPE’s Office 365 email environment.

Hewlett Packard Enterprise disclosed Wednesday that its Office 365 email environment was compromised in 2023 by the threat actor known as Midnight Blizzard, a Russia-aligned hacker group also recently blamed for an attack that compromised senior Microsoft executives.

In a filing with the U.S. Securities and Exchange Commission Wednesday, HPE said it was “notified” on Dec. 12 about the incident, which began in May 2023 and impacted a “small percentage” of staff email accounts.

In a statement provided to CRN Wednesday, HPE identified its impacted cloud email system as a Microsoft Office 365 environment, and said that the threat actor leveraged a compromised account to access the email environment.

“The accessed data is limited to information contained in the users’ mailboxes,” HPE said in the statement. “We continue to investigate and will make appropriate notifications as required.”

Here are the top five things you need to know about the Midnight Blizzard attack on HPE’s Office 365 email environment.

‘No Evidence’ Midnight Blizzard Hack Impacts GreenLake

HPE said there is “no evidence” that the Office 365 cloud email attack it experienced has impacted its popular HPE GreenLake hybrid cloud service.

“Our investigation is ongoing, however we have no evidence that this incident impacts the HPE GreenLake platform,” HPE said in a statement provided to CRN. “We are continuing to investigate and will notify customers or partners as appropriate.” The company said it “eradicated the activity from the Office 365 email environment shortly after the December 12 notification, and we continue to remain vigilant.”

That fact that GreenLake is not impacted is significant given that HPE now has 29,000 customers with 4 million devices and systems and more than 2 exabytes of data.

In 2021, HPE unveiled its Project Aurora zero trust security architecture for the HPE GreenLake service as part of a major effort to secure GreenLake against ransomware and other cybersecurity threats. The initiative is aimed at automatically detecting advanced threats from the silicon to the cloud, HPE has said.

HPE CEO Antonio Neri has called Aurora a “revolutionary” security framework that ensures the edge-to-cloud GreenLake platform is secure from the user to the application and then all the way down to the operating system and firmware in the hardware. He said it “fortifies” a customer’s IT security investments.

HPE Disclosure Comes In Wake Of Microsoft Attack

The HPE disclosure of the Midnight Blizzard attack came just five days after Microsoft revealed that the same hacker group was responsible for the recent high-profile breach of multiple senior Microsoft executive email accounts.

In its disclosure, Microsoft said Midnight Blizzard was able to steal emails from members of its senior leadership team as well as from employees on its cybersecurity and legal teams.

HPE, meanwhile, said that Midnight Blizzard gained access to Office 365 accounts belonging to a “small number” of staff members including in its cybersecurity, go-to-market and business units.

In its statement provided to CRN, HPE said that the threat actor leveraged a compromised account to access the email environment.

Meanwhile, in response to CRN questions about the likelihood of a connection between the HPE and Microsoft incidents, HPE said in the statement that “we don’t have the details of the incident Microsoft disclosed, so we can’t say the two are linked." The company can “only [say] that the threat actor appears to be the same,” HPE said in the statement.

Microsoft, for its part, said its latest Midnight Blizzard incident began with a late November 2023 password spray attack, which compromised a “legacy non-production test tenant account.”

Attackers then used the compromised account’s permissions to “access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft said.

“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” the company said.

Microsoft said that its security team uncovered the compromise after detecting “a nation-state attack on our corporate systems on January 12, 2024.”

Russian Hacking Group Midnight Blizzard Has A History Of High-Profile Attacks

The threat actor tracked as Midnight Blizzard, a Russia-aligned hacker group which is believed to have carried out the HPE attack, has previously been held responsible for a number of high-profile attacks. The most recent incident, the breach of multiple senior Microsoft executive emails accounts, was disclosed last Friday.

Previously, Microsoft had attributed attacks to Midnight Blizzard including the widely felt breach of SolarWinds in 2020. The company had tracked the group, which the U.S. and U.K. governments have associated with Russia’s SVR foreign intelligence unit, under the name Nobelium in the past.

That SolarWinds breach uncovered what Microsoft called in a November 2021 blog post a “sophisticated, advanced threat with a scale and scope beyond anything” researchers could have predicted.

“You got a sense that this attacker could start in hundreds of customer networks, very deep into them with elevated rights,” said John Lambert, General Manager of the Microsoft Threat Intelligence Center in the November 2021 blog post. “When you realize how many enterprise customers and government departments use [SolarWinds], you knew that this attacker had achieved a place to have major impact, across the globe.”

Last Friday, Microsoft said the latest attack highlights “the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”

Microsoft Cloud Email Accounts Are A Prime Target For Hackers

The HPE breach is yet another high-profile breach of Office 365 cloud email accounts. It follows attacks including last year’s Microsoft cloud email breach, which saw the compromise of email accounts belonging to multiple U.S. government agencies. That attack is believed to have impacted the emails of Commerce Secretary Gina Raimondo as well as U.S. Ambassador to China Nicholas Burns and officials in the Commerce Department.

A total of 60,000 emails were stolen from 10 U.S. State Department accounts in the compromise, according to reports.

The incident prompted U.S. Sen. Ron Wyden to request a federal investigation to determine “whether lax security practices by Microsoft” led to the hack, and also led to criticism from numerous prominent executives within the security industry.

In September, Microsoft disclosed that a number of issues enabled the China-linked threat actor — tracked as “Storm-0558” — to compromise the cloud email accounts of U.S. officials. Those included a flaw that caused an Azure Active Directory key used in the compromise to be improperly captured and stored in a file following a Windows system crash in 2021. Another flaw led to the presence of the key not being detected, Microsoft said.

The threat actor behind that breach was able to access the file containing the key through compromising a corporate account belonging to a Microsoft engineer.

HPE Midnight Blizzard Attack Has Had ‘No Operational Impact’

HPE has pointed out that the Midnight Blizzard attack has had “no operational impact” on the business and that the disclosure to the U.S. Securities and Exchange Commission was made “out of an abundance of caution and a desire to comply with the spirit” of new SEC regulatory disclosure guidelines.

The new SEC rule -- which went into effect December 15 -- requires publicly traded companies to disclose major cyberattacks within four business days of determining an incident is “material” for its shareholders.

HPE, for its part, said that as of this date “it has not determined that this incident is likely to have a material financial impact.”

Danny Jenkins, the co-founder and CEO of cybersecurity vendor ThreatLocker, said he sees a danger that compliance with the SEC regulations will result in a blizzard of “micro-incidents” being disclosed to the public.

“Generally disclosure is good, but the danger here is that a company the size of HPE is going to have [a lot of] micro-incidents that are disclosed,” he said. “I don’t know all the details of the HPE incident but based on what has been disclosed I would say this is not a major incident.”

And if public companies opt to disclose large numbers of security incidents, according to Jenkins, “what we are going to see is white noise.”