'Midnight Blizzard' Breached HPE Email Months Before Microsoft Hack
The Russian APT behind the SolarWinds attacks exfiltrated data from HPE email accounts last May.
January 25, 2024
Months before Russian threat actor "Midnight Blizzard" accessed and exfiltrated data from email accounts belonging to senior leadership at Microsoft last November, the group already had done the same at Hewlett-Packard Enterprise (HPE).
A new Form 8-K SEC filing on Jan. 19 shows that Midnight Blizzard, also known as Nobelium, Cozy Bear, and APT29, breached HPE's cloud-hosted email environment, sometime in May 2023. The attackers exfiltrated data from accounts belonging to what the company claimed was a small number of individuals in the company's cybersecurity, marketing, business, and other segments.
HPE said it learned of the intrusion on Dec. 12, 2023, and has been working with external cybersecurity experts since then to determine the full scope and exact timeline of the attack. "The Company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023," HPE's filing said.
Microsoft Disclosed a Similar Breach Last Week
News of HPE's SEC filing comes just days after Microsoft disclosed in a blog post last week that it had detected a Midnight Blizzard attack on its corporate systems on Jan. 12. The company said its investigation showed the attacker had likely breached its systems in November 2023 and has since then been exfiltrating information from email accounts belonging to senior leadership and employees in cybersecurity, legal, and other functions.
Midnight Blizzard gained initial access to Microsoft's corporate network by using a common password spray attack to breach a legacy non-production test account. The threat actor then used that account's permissions to access email accounts of interest at Microsoft. "The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed," according to Microsoft's blog post.
Microsoft has vowed to revamp its security protocols — especially those involving its legacy systems —following the incident.
A Dangerous State-Sponsored Threat
The attacks have focused fresh attention on Midnight Blizzard, a threat actor that the US government has formally tied to Russia's Foreign Intelligence Service (SVR). In April 2021, the US Cybersecurity and Infrastructure Security Agency, the FBI, and National Security Agency identified the threat actor as responsible for breaking into SolarWinds' build environment and planting malware in a legitimate software update that many customers ended up downloading on their systems. SolarWinds detected and announced the breach in December 2020, though the actual breach happened in September 2019, with initial probing activity starting in January 2019.
That intrusion marked a broader focus for the threat actor, which has been operational since around 2009. Many of its initial campaigns were focused on political intelligence gathering. Among the most notable were its attacks on the Democratic National Committee (DNC) in 2015 and a wave of attacks on EU governments, NATO think tanks, and others in 2019.
But as CISA noted in a December 2023 advisory, since 2018, and especially after SolarWinds, Midnight Blizzard/SVR has also been focusing heavily on technology companies. Many of its campaigns have involved what CISA has described as "low and slow" password spraying and exploits against vulnerabilities in certain widely used products. Some of the flaws the group has commonly exploited include CVE-2018-13379 in Fortinet devices; CVE-2019-9670 in Zimbra, CVE-2019-11510 in Pulse Secure VPN, CVE-2019-1978 in Citrix, and CVE-2020-4006 affecting VMware.
Extensive Targeting of JetBrains TeamCity Vulnerability
In its December advisory, CISA added CVE-2023-42793, an authentication bypass vulnerability in JetBrains TeamCity, to the list of flaws the group has been targeting aggressively in recent months. CISA warned about how access to a TeamCity server would provide the threat actor with access to source code, signing certificates and the ability to tamper with software compilation and deployment processes. By choosing to exploit CVE-2023-42793, "SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers," the advisory noted.
As of the time of the CISA advisory, at least, the SVR/Midnight Blizzard had not used the access provided by the TeamCity CVE to pull off a SolarWinds-like attack. But the threat actor is using the vulnerability to escalate privileges, move laterally, deploy additional payloads, and establish persistence, CISA has warned.
"At this particular time, cybersecurity industry pundits and thought leaders have been floating a variety of opinions on what is motivating Midnight Blizzard to conduct these targeted attacks," said Yossi Rachman, senior director of security research at Semperis. "Currently, it is highly likely they are on an information gathering mission to glean any information HP security pros and Microsoft has on Russian-backed attack groups and the Russian cyber offensive efforts as a whole."
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024