Over the past week, Microsoft and Hewlett Packard Enterprise (HPE) disclosed successful campaigns targeting the organizations by Russian-based threat actor Cozy Bear (aka Midnight Blizzard, aka APT29). Both campaigns conducted successfully obtained access to emails for both companies, including emails for senior leadership and cybersecurity positions. Neither Microsoft nor HPE believe the attacks were related to one another, however both incidents are still under investigation. At the time of this writing, Microsoft has released the tactics utilized to access the information, however HPE has not yet released said details.
Microsoft reported the company’s breach in an SEC 8-K filing on January 17, 2024, claiming the attack reportedly started in late November 2023. During the attack, threat actors utilized a password spray attack to compromise a legacy non-production test tenant account. From that account, threat actors were able to use the account’s permissions to access a “small percentage” of corporate email accounts belonging to senior leadership team members and employees in cybersecurity and legal positions. The threat actors managed to steal “some” emails and attached documents to said emails. Microsoft reportedly remove the threat actor’s access to the email accounts “on or about January 13, 2024.” Microsoft claimed there is no evidence of the threat actor accessing customer environments, production systems, source code, or AI systems, but Microsoft plans to continue its investigation. It is of note that the attack did not the result of a vulnerability in Microsoft products or services.
HPE’s breach was disclosed in a SEC 8-K filing on January 24, 2024, in which the company claimed that it was notified of a “suspected nation-state actor, believed to be the threat actor Midnight Blizzard, had gained unauthorized access to HPE’s cloud-based email environment” on December 12, 2023. The threat actors are believed to have gained unauthorized access and were able to exfiltrate data from mailboxes belonging to individuals in the cybersecurity, go-to-market, business segments, and other functions within the company. HPE believes the incident is related to a previous incident in which threat actors gained unauthorized access to the company’s SharePoint server and stole files. HPE’s investigation into the incident remains ongoing.