Russian hackers breached Microsoft, HPE corporate maliboxes

Cozy Bear (aka Midnight Blizzard, aka APT29) has been busy hacking and spying on big tech companies: both Microsoft and Hewlett Packard Enterprise (HPE) have recently disclosed successful attack campaigns by the Russia-affiliated APT group.

The Microsoft breach

Last Friday, Microsoft revealed that a threat-actor identified as Midnight Blizzard – a hacking group believed to be associated with the Russian Foreign Intelligence Service (SVR) – has breached their corporate systems on January 12, 2024.

The company revealed that the attack started in late November 2023 and that the hackers used a password spray attack to compromise a legacy non-production test tenant account.

By leveraging the account’s permissions, they accessed a “very small” percentage of corporate email accounts belonging to senior leadership team members and employees from the cybersecurity an legal departments, and managed to steal some emails and attached documents.

“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” Microsoft said, and reassured that the attack was not related to a vulnerability in their products or services.

“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required,” the company concluded.

(Earlier this year, Chinese hackers managed to get a hold of a Microsoft signing key, which they used to breach Microsoft 365’s email service and access accounts of US government employees.)

The HPE breach

HPE’s breach was disclosed in a SEC 8-K filing, in which the company stated that they were notified on December 12, 2023 that a suspected nation-state actor, believed to be Midnight Blizzard, has gained unauthorized access to their cloud-based email environment.

“Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” the company noted.

“While our investigation of this incident and its scope remains ongoing, the Company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023.”