An infamous Russian state hacking unit compromised the cloud-based email environment of HPE and exfiltrated data from a “small percentage” of mailboxes, the enterprise IT giant HPE has revealed in a regulatory filing.
HPE said in an 8-K filing with the SEC that the suspected actor is APT29 (aka Midnight Blizzard, Cozy Bear), a group linked to Russia’s Foreign Intelligence Service (SVR). It claimed the breach occurred back in May and is connected to another incident.
“Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” it said.
“While our investigation of this incident and its scope remains ongoing, the Company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023.”
Read more on APT29: Russia’s APT29 Targets Embassies With Ngrok and WinRAR Exploit
HPE said that, following that June notification, it employed external cybersecurity experts to investigate, contain and remediate.
“Upon undertaking such actions, we determined that such activity did not materially impact the company,” it noted.
However, the firm will likely be concerned that the full extent of the breach wasn’t identified at the time.
“We have notified and are cooperating with law enforcement and are also assessing our regulatory notification obligations, and we will make notifications as appropriate based on our investigation findings,” it said of the latest discovery.
“As of the date of this filing, the incident has not had a material impact on the company’s operations, and the company has not determined the incident is reasonably likely to materially impact the company’s financial condition or results of operations.”
Late last week, Microsoft revealed that APT29 managed to compromise the email accounts of some of its senior leadership team. The tech giant said the group was able to do so using only basic brute force techniques – implying that the accounts weren’t protected by multi-factor authentication (MFA).