Email security, Managed Security Services

HPE, Microsoft Midnight Blizzard Hackers Lurked in Systems for Months

Microsoft Outlook logo displayed on a phone screen and Microsoft logo displayed on a screen in the background are seen in this illustration photo taken in Krakow, Poland on May 26, 2022. (Photo Illustration by Jakub Porzycki/NurPhoto via Getty Images)

Hewlett Packard Enterprise (HPE) and Microsoft both reported cyberattacks in recent weeks, and it appears that the two attacks are linked to the same syndicate.

HPE said that it had been hacked by the same cyber syndicate that hit Microsoft. The Microsoft attack was focused on breaking into email accounts of some of the company’s senior leadership. Microsoft did not identify the affected employees or disclose which emails and attached documents had been exfiltrated.

HPE reported the cyberattack in a Securities and Exchange Commission (SEC) 8-K filing earlier this month.

Cyberattack on Microsoft: Motive

In the Microsoft case, the attack appeared to be motivated by spying. The break-in seemed to focused on discovering what intelligence and knowledge the Microsoft has related to Midnight Blizzard (aka Nobelium, Cozy Bear or APT29) perpetrators. Midnight Blizzard is widely believed in the security community to be tied to Russia’s foreign intelligence service.

Microsoft’s investigation of Nobelium dates back three years to an examination of the threat group’s activities as detailed in a four-part blog series.

Microsoft said in an 8-K filing that on January 12 it detected an intrusion that began in November 2023. According to Microsoft, the threat actor managed gained access to and exfiltrated information by using a brute force password attack.

Password spray attacks can usually be prevented by simple authentication layers (multi-factor authentication) to confirm identity.

Cyberattack on HPE: Motive

The threat actor’s motivation for the HPE attack isn’t clear, but it’s not too far afield to contend it is the same as with Microsoft’s infiltration. In its SEC filing, HPE said it had concluded that “this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023.”

HPE said it “immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity.” It’s unclear if MSSPs were involved in the remediation efforts.

Midnight Blizzard reportedly meddled in the 2016 U.S. Presidential election and has orchestrated government and corporate espionage for years, including the infamous SolarWinds supply chain attack that hit nearly a dozen U.S. federal agencies and tens of thousands of corporate servers.

Microsoft has called the SolarWinds incident the “most sophisticated nation-state attack in history.”

Details of the HPE Attack

In the SEC filing, HPE said it learned of the breach of its cloud-hosted email environment on January 12, 2024. The intruders first entered HPE’s systems in May 2023, the company said. They took a “small percentage” of its Office 365 mailboxes, mostly belonging to its cybersecurity and marketing departments.

HPE did not say how the attack had been discovered.

In a safety-first move to comply with the SEC’s new rule that publicly held companies must report within four business days cyber incidents that have a material effect on its operations, HPE, as did Microsoft, “determined that such activity did not materially impact” its business.

Microsoft: Cybersecurity Best Practices Followed?

Microsoft’s case has brought with it some questions. The Redmond, Washington-based tech market leader said the crew had gained access to a Microsoft legacy, non-production test tenant account, raising inquiries about the company's standardized security best practices.

“Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account,” the vendor wrote in a blog post. “The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”

Still, the attack does “highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard,” the vendor said.

Microsoft vowed to advance its cybersecurity protection project, the Secure Future Initiative, given how well-funded and resourced the attackers are backed. In a tacit admission that it had not standardized best practices across its systems new and old, the vendor said it will “act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes,” the company said.

“If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure [MFA] and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks,” Microsoft said in a follow up blog posted on January 25, 2024.

Advice for Cybersecurity Leaders

In light of the Microsoft attack, Norman Guadagno, chief marketing officer at Mimecast, an email security specialist, suggested in a blog post three takeaways for organizations to consider:

  • In this case, Microsoft’s reported internal lapse in applying best practices led to the compromise and theft of confidential systems and data. This is a good reminder for IT and cybersecurity leaders to implement and ensure the right practices and protocols are in place across technology infrastructure and systems.
  • While Microsoft provides standard cybersecurity solutions for its suite of workplace tools, the truth is that every organization requires a hyper-tailored strategy and offerings to ensure they’re putting forward a defense that best aligns with their unique needs and posture.
  • Remember that every comms channel can serve as an entry point. The most sensitive and, therefore, opportune data lives in our communications.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.