Russian hackers are targeting everyone; first Microsoft, now HPE – and there could be more

• Russian hackers target Microsoft and HPE, revealing heightened cyberthreat levels.
• HPE breach by elite hackers exposes critical email system vulnerabilities.
• Cyberattacks on tech firms underscore the urgent need for more robust cybersecurity.

Cyberattacks by Russian hackers have intensified recently, targeting two major technology companies within the same month. Hewlett Packard Enterprise (HPE) disclosed a breach in its cloud-based email systems, perpetrated by the same Russian hacking group implicated in previous Microsoft email account intrusions.

In a securities filing, HPE revealed that the December 12, 2023 incident affected several email accounts in areas including cybersecurity, marketing, and various business sectors. Following the discovery of the breach, HPE engaged external cybersecurity experts to launch an investigation and response, successfully eradicating the malicious activity.

HPE became aware of the intrusion on January 12, as stated in their Securities and Exchange Commission filing. The company suspects the hackers are part of Cozy Bear, a unit of Russia’s SVR foreign intelligence service.

Cozy Bear: the notorious group behind the attacks

Microsoft, too, experienced a similar breach in its corporate network, reported last week. Originating in late November, this attack compromised accounts of senior executives and staff in cybersecurity and legal departments, with Cozy Bear believed to be responsible.

Cozy Bear is a sophisticated cyber-espionage group with links to Russia’s foreign intelligence service, known by various names like “Midnight Blizzard” and “APT29.” The group, noted for stealthy intelligence-gathering, primarily targets Western governments, IT service providers, and think tanks in the US and Europe. Cozy Bear’s notoriety increased after orchestrating the SolarWinds breach.

HPE’s investigation suggests that the hackers have been accessing and extracting data from certain mailboxes since May 2023. Adam R. Bauer, a spokesperson for HPE, declined to reveal the source of the breach notification. He confirmed that the affected mailboxes were running on Microsoft software. The company is still assessing the full extent of the breach, which appears not to have significantly impacted its operations or financial health. This incident follows a new US Securities and Exchange Commission rule requiring public companies to report breaches that could impact their business promptly.

Additionally, the HPE breach involved unauthorized access to a limited number of SharePoint files in June 2023. SharePoint, a Microsoft 365 suite component, encompasses email, word processing, and spreadsheet applications.

While HPE is unable to confirm a direct link between its breach and the one reported by Microsoft, the company continues its investigation. The seniority of the affected HPE employees and the full scope of accessed mailboxes remain under scrutiny.

In response to these incidents, US officials have pointed out that Cozy Bear used compromised software from US tech firm SolarWinds in 2020 to infiltrate various US government agencies. This led to an overhaul of the US government’s cybersecurity defenses. Since then, the group has continued targeting US and European government agencies, frequently exploiting software providers and demonstrating a particular aptitude for breaching cloud computing networks. The FBI has observed such tactics as early as 2018.

Regarding the December breach, HPE is evaluating its potential impact on the company’s financial status and operations.

Microsoft’s recent disclosure of a breach by Cozy Bear involved a small number of its corporate email accounts, including senior executives. The company’s response included immediate investigation and mitigation efforts. However, Microsoft’s revelation that the hackers employed a simple technique, known as password spraying, has led to increased scrutiny of its security practices. A senior US National Security Agency official expressed disappointment over Microsoft’s vulnerability to such attacks, emphasizing the need for large tech firms to be vigilant against state-backed hackers.

Microsoft has refrained from commenting on these developments. Additionally, the company was involved in an alleged Chinese hack last year, compromising the email accounts of top US officials, including the Commerce Secretary and the US Ambassador to China. This campaign originated with the breach of a Microsoft engineer’s corporate account.

Sweden is also targeted by Russian hackers

In a related development, Russian hackers are suspected of disrupting online services for several Swedish government agencies and retail stores, as reported by IT consultancy Tietoevry. The Swedish-Finnish company indicated that resolving the issue might take considerable time.

The Moscow Times reported that the attack affected Tietoevry’s data center in Sweden, impacting online transactions at the country’s largest cinema chain, department stores, and other retail outlets. Sweden’s central government service center, Statens Servicecenter, experienced disruptions to its human resources system, affecting public sector employees’ ability to submit overtime, sick leave, or vacation requests.

In a statement issued recently, Tietoevry suggested that the restoration process could extend over several days or weeks due to the incident’s complexity and the numerous customer-specific systems involved. Caroline Johansson Sjowall, spokesperson for Statens Servicecenter, reported that the attack affected “120 government agencies and more than 60,000 employees.”

Cybersecurity experts, including Tietoevry, suspect the involvement of Akira, a hacker group with Russian ties. The company has filed a police report regarding the attack and is assessing its financial implications. Currently, Tietoevry has not released any information regarding a ransom demand, which is typical in ransomware attacks where hackers encrypt or steal data and then demand payment for its decryption or to prevent its public release.

Civil Defense Minister Carl-Oskar Bohlin stressed the urgency of prioritizing cybersecurity across both public and private sectors. In a statement on X, formerly known as Twitter, Bohlin announced the government’s intention to convene a meeting with affected parties to thoroughly evaluate the incident and formulate a response strategy once the operational phase is concluded.

The Swedish Civil Contingencies Agency (MSB) underscored the significance of this attack as a critical alert. Margareta Palmqvist, head of information security at MSB, voiced concerns to the Swedish news agency TT about the country’s rapid digitalization outpacing its cybersecurity investments. She emphasized the importance of being proactive in cybersecurity measures, ensuring preparedness for such cyber threats.

This series of cyberattacks underscores the evolving landscape of digital threats, highlighting the critical need for robust cybersecurity measures in both the public and private sectors. The incidents involving HPE, Microsoft, and the Swedish government agencies reflect a growing trend of sophisticated cyber-espionage and ransomware attacks that target vital infrastructure and services.

As these threats evolve, the need for vigilance and investment in cybersecurity becomes increasingly crucial to protect sensitive data and maintain the integrity of critical systems worldwide.

---

---

---