Next for The Bear: Hacking HPE inboxes

"Cozy Bear" gained unauthorized access to HPE’s cloud-based email environment

Next for The Bear: Hacking HPE inboxes

HPE has told regulators that hackers “gained unauthorized access to HPE’s cloud-based email environment” and accessed emails belonging to its cybersecurity team – hinting in a somewhat opaque SEC filing that the attackers may have had access to its email systems for seven months.

HPE said it “was notified” (it does not specify by whom) on December 12, 2023 about the incident. It attributed it to “a suspected nation-state actor, believed to be the threat actor Midnight Blizzard, the state-sponsored actor also known as Cozy Bear” or Russia’s SVR agency.

“We determined that such activity did not materially impact the Company… or results of operations.” HPE said.

It did not specify how the breach occurred.

The incident comes days after Microsoft said its own emails including those of senior leadership and, also, its cybersecurity team, were accessed by the same threat actor – which breached systems via a “legacy non-production test tenant account” through what it said was a “password spray attack” and then pivoted from there to the emails. 

See also: Russian group hacks emails of Microsoft’s “senior leadership” and cybersecurity staff

HPE, which reported revenues of $29.1 billion for fiscal 2023, told the SEC under new regulations requiring breach disclosures to the regulator, that “we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes…”

HPE said the January 19 SEC filing that it “now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023.”

It added: “Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity.” 

See also: New SEC cyber-disclosure rules kick in 

It was not immediately clear from this whether HPE had failed to eradicate that activity and the attackers had had sustained access for seven months, or if they had compromised it again. One thing does seem clear: A sophisticated adversary is sniffing about large enterprise technology companies’ Microsoft applications, including their emails. 

Fending off an adversary of nation state-level sophistication is no mean feat. The Stack remains firmly of the view however that plaintext email is an inappropriate medium for any even remotely sensitive discussion to take place in – and that teams working on operationally critical or sensitive material would be best served by taking to another platform. 

Alternatives like AWS Wickr, Element, Wire and others offer end-to-end-encrypted collaboration platforms with file sharing, enterprise/regulation-friendly controls of various degrees of sophistication, and the ability to host on-premises as desired. 

Join peers following The Stack on LinkedIn