Technology giant Hewlett Packard Enterprise (HPE) has revealed that a threat group it believes is tied to Russia’s Foreign Intelligence Service had access to portions of its systems for more than six months.
HPE believes notorious Russian espionage gang APT29 (also known as Cozy Bear, Midnight Blizzard and Nobelium) stole SharePoint and email files from its networks between May and December last year.
The company announced the security breach in a Jan. 24 form 8-K disclosure, filed with the U.S. Security and Exchange Commission (SEC).
HPE is the second publicly traded multinational technology company to announce a serious attack on its corporate email systems within the space of a week. Both hacks have been attributed to APT29.
Microsoft revealed on Jan. 19 that the threat group had accessed and exfiltrated data from staff email accounts, including members of its senior leadership team.
It is possible neither attack would have been made public if a rule change requiring listed companies to report “material” cyberattack incidents within four days had not come into force last month.
HPE breach dates back to May 2023
In its 8-K notice and a subsequent media statement, HPE said it learned on Dec. 12 that a suspected nation-state actor, believed to be APT29, had infiltrated the company’s Office 365 email environment.
With the help of external cybersecurity experts, it took immediate action to “to investigate, contain, and remediate the incident, eradicating the activity”.
As a result of its investigations, HPE concluded the attack was likely related to an earlier incident that came to light in June last year: another breach by APT29 where the gang stole a “limited number” of SharePoint files.
“Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” the company said.
HPE said when the alarm bells rang in June, it took immediate containment and remediation steps “intended to eradicate the activity”. But, on the basis of the company’s statements, it appears that initial eradication attempt was not unsuccessful.
Disclosure made ‘out of an abundance of caution’
The December rule change requires public companies to disclose cyberattacks to the SEC within four working days, once an organization determines the incident in question reaches the threshold of having a “material” impact on the business.
In its 8-K, HPE said while its investigation into APT29’s attack was continuing, the company did not believe the hacks and data theft would have a material impact on its operations or its financial outlook.
In its subsequent media statement, HPE explained its reason for alerting the market to the incident.
“Out of an abundance of caution and a desire to comply with the spirit of new regulatory disclosure guidelines, we have filed a form 8-K with the Securities & Exchange Commission to notify that body, and investors, about this incident,” the statement said.
“That said, there has been no operational impact on our business and, to date, we have not determined that this incident is likely to have a material financial impact.”
When Microsoft revealed its brush with APT29 last week, it told investors the incident had not had an initial material impact on the company’s operations. However, it added it had “not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations”.