Hewlett Packard Enterprise Co. is the latest company to be targeted by a Russian-linked hacking group, with a small percentage of mailboxes belonging to people who work in the company’s cybersecurity and other departments compromised.

The disclosure was made in a Jan. 19 filing with the U.S. Securities and Exchange Commission. HPE said the attacker was identified as Midnight Blizzard. Also known as Cozy Bear and Nobelium, the hacking group is the same Russian-linked gang that was behind the hack of SolarWinds and, more recently, the compromise of a small number of email accounts belonging to Microsoft Corp.

HPE said in the filing that it was notified on Dec. 12 that a suspected nation-state actor had gained unauthorized access to HPE’s cloud-based email environment. Upon finding the breach, HPE hired external cybersecurity experts and activated its response plan to investigate, remediate and eradicate the activity. 

Further investigation found that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in its cybersecurity, go-to-market, business segments and other departments. HPE added that it believes that the incident was likely related to an incident it became aware of in June 2023 that involved the exfiltration of a limited number of SharePoint files.

HPE has notified law enforcement and is also assessing its regulatory notification obligations. The incident did not have a material impact on the company’s operations. However, it has not been determined if the incident will materially affect the company’s financial conditions or operations. In other words, it’s not 100% sure what was stolen from the breached email accounts.

Although no further information was immediately available, the fact that HPE noted its cybersecurity staff were targeted suggests that Midnight Blizzard/Nobelium was, as in the case with Microsoft, looking for information about itself.

In Microsoft’s case, the threat actor used a password spray attack to compromise a legacy nonproduction test tenant account to gain a foothold and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. Password-spraying is a type of cyberattack where an attacker attempts to gain unauthorized access to many accounts by employing a few commonly used passwords.

It’s highly likely that similar tactics were used to gain access to HPE corporate email accounts as well.

Image: Pixabay