Getty Photos
Hewlett Packard Enterprise (HPE) stated Wednesday that Kremlin-backed actors hacked into the e-mail accounts of its safety personnel and different staff final Might—and maintained surreptitious entry till December. The disclosure was the second revelation of a serious company community breach by the hacking group in 5 days.
The hacking group that hit HPE is similar one which Microsoft said Friday broke into its company community in November and monitored electronic mail accounts of senior executives and safety workforce members till being pushed out earlier this month. Microsoft tracks the group as Midnight Blizzard. (Beneath the corporate’s not too long ago retired menace actor naming conference, which was based mostly on chemical parts, the group was often known as Nobelium.) However it’s maybe higher identified by the title Cozy Bear—although researchers have additionally dubbed it APT29, the Dukes, Cloaked Ursa, and Darkish Halo.
“On December 12, 2023, Hewlett Packard Enterprise was notified {that a} suspected nation-state actor, believed to be the menace actor Midnight Blizzard, the state-sponsored actor also called Cozy Bear, had gained unauthorized entry to HPE’s cloud-based electronic mail atmosphere,” firm attorneys wrote in a filing with the Securities and Trade Fee. “The Firm, with help from exterior cybersecurity specialists, instantly activated our response course of to research, include, and remediate the incident, eradicating the exercise. Based mostly on our investigation, we now imagine that the menace actor accessed and exfiltrated knowledge starting in Might 2023 from a small share of HPE mailboxes belonging to people in our cybersecurity, go-to-market, enterprise segments, and different features.”
An HPE consultant stated in an electronic mail that Cozy Bear’s preliminary entry into the community was by “a compromised, inside HPE Workplace 365 electronic mail account [that] was leveraged to achieve entry.” The consultant declined to elaborate. The consultant additionally declined to say how HPE found the breach.
Cozy Bear hacking its means into the e-mail methods of two of the world’s strongest corporations and monitoring high staff’ accounts for months aren’t the one similarities within the two occasions. Each breaches additionally concerned the compromise of a single machine on every company community, then escalating that toehold to the community itself. From there, Cozy Bear camped out undetected for months. The HPE intrusion was all of the extra spectacular as a result of Wednesday’s disclosure stated that the hackers additionally gained entry to Sharepoint servers in Might. Even after HPE detected and contained that breach a month later, it could take HPE one other six months to find the compromised electronic mail accounts.
The pair of disclosures, coming inside 5 days of one another, might create the impression that there was a latest flurry of hacking exercise. However Cozy Bear has truly been one of the vital lively nation-state teams since at least 2010. Within the intervening 14 years, it has waged an nearly fixed sequence of assaults, totally on the networks of governmental organizations and the expertise corporations that provide them. A number of intelligence companies and personal analysis corporations have attributed the hacking group as an arm of Russia’s Overseas Intelligence Service, also called the SVR.
The life and occasions of Cozy Bear (to this point)
In its earliest years, Cozy Bear operated in relative obscurity—exactly the area it prefers—because it hacked mostly western governmental agencies and associated organizations resembling political suppose tanks and governmental subcontractors. In 2013, researchers from safety agency Kaspersky unearthed MiniDuke, a classy piece of malware that had taken maintain of 60 authorities businesses, suppose tanks, and different high-profile organizations in 23 nations, together with the US, Hungary, Ukraine, Belgium, and Portugal.
MiniDuke was notable for its odd mixture of superior programming and the gratuitous references to literature discovered embedded into its code. (It contained strings that alluded to Dante Alighieri’s Divine Comedy and to 666, the Mark of the Beast mentioned in a verse from the E-book of Revelation.) Written in meeting, using a number of ranges of encryption, and counting on hijacked Twitter accounts and automatic Google searches to take care of stealthy communications with command-and-control servers, MiniDuke was among the many most superior items of malware discovered on the time.
It wasn’t instantly clear who was behind the mysterious malware—one other testomony to the stealth of its creators. In 2015, nonetheless, researchers linked MiniDuke—and 7 different items of beforehand unidentified malware—to Cozy Bear. After a half decade of lurking, the shadowy group was instantly introduced into the sunshine of day.
Cozy Bear as soon as once more got here to prominence the next yr when researchers found the group (together with Fancy Bear, a separate Russian-state hacking group) contained in the servers of the Democratic Nationwide Committee, searching for intelligence resembling opposition research into Donald Trump, the Republication nominee for president on the time. The hacking group resurfaced within the days following Trump’s election victory that yr with a major spear-phishing blitz that focused dozens of organizations in authorities, army, protection contracting, media, and different industries.
Considered one of Cozy Bear’s crowning achievements got here in late 2020 with the invention of an extensive supply chain assault that focused clients of SolarWinds, the Austin, Texas, maker of community administration instruments. After compromising SolarWinds’ software program construct system, the hacking group pushed contaminated updates to roughly 18,000 clients. The hackers then used the updates to compromise 9 federal businesses and about 100 personal corporations, White Home officers have stated.
Cozy Bear has remained lively, with multiple campaigns coming to mild in 2021, together with one which used zero-day vulnerabilities to infect fully updated iPhones. Final yr, the group devoted a lot of its time to hacks of Ukraine.
