Unsurprisingly, a looming series of major elections around the world has been accompanied by high activity by Russian hackers. “Midnight Blizzard,” or the former Cozy Bear, was recently named as the perpetrator of an attack on Microsoft. It also seems to have been behind a December security breach of Hewlett Packard Enterprise (HPE), the second time it hit the company in the space of a year.
Microsoft, HPE attacks signal increased activity from Russian hackers
Midnight Blizzard may have a new name, but it is a familiar adversary. The Russian hackers are believed to have been active since the late 00s, and often come out of relative dormancy during election periods to harass a wide variety of targets. The group has been relatively quiet since the SolarWinds security breach, but as of late seems to have been scouting to see what its cyber adversaries have to say about it in private internal communications.
The purpose for the present security breach of HPE remains unknown, as the company included only minimal required information in a mandatory SEC filing (in which it declared it does not expect to see material impact from the incident). But this was the second time the company was hit by Midnight Blizzard in 2023. It was attacked in May 2023 in a similar incident that also involved “a small percentage” of HPE mailboxes. HPE only said that the prior incident involved exfiltration of a “limited” amount of SharePoint files from certain employees.
It is possible that the Russian hackers were probing for systemic vulnerabilities in the company’s products. China’s state-backed hackers took a similar approach in 2018, breaking into HPE (among other companies) as part of the Cloudhopper campaign of corporate espionage and finding new means of launching cyber attacks. In terms of broader activity related to the upcoming elections, the central interest for both Chinese and Russian hackers is material for propaganda and disinformation campaigns.
HPE security breach involved senior leadership, cybersecurity team
What little is known about the HPE security breach thus far does indicate that the Russian hackers were interested in a broader range of information, despite targeting of a “small amount” of accounts both there and at Microsoft. With the Microsoft attack, the hackers had the potential to go much further but seemed content to quietly monitor whatever the company’s security team was saying about them. The HPE incident seems to involve a more varied collection of business and legal information.
There is also a bit of confusion as to how closely the two 2023 HPE attacks are tied together, given the company’s wording. The company indicated the two are related, but was thought to have chased the Russian hackers out of the system by June of last year. The company’s statement on the prior hack only said that it “took measures” to remove the hackers from the system, however, not completely affirming that they were totally removed.
One major takeaway is that there is no level or size of tech companies that makes them immune to security breaches, and that relatively simple attacks can still work on sophisticated defenses if the enemy locates the right crack in the wall. We’re still waiting to hear what caused the HPE breach, but the Russian hackers struck gold against Microsoft by finding a poorly protected legacy system to exploit with a simple password spray attack.