A recent Form 8-K SEC filing from Hewlett-Packard Enterprise (HPE) has revealed that Russian threat actor “Midnight Blizzard” gained unauthorized access to the company’s cloud-hosted email environment last May. This intrusion allowed the attackers to exfiltrate data from accounts belonging to a small number of individuals in various segments of the company, including cybersecurity, marketing, and business. HPE first learned of the intrusion on December 12, 2023, and has been working with external cybersecurity experts to fully investigate the scope and timeline of the attack.
This news comes on the heels of a similar disclosure from Microsoft, where the company detected a Midnight Blizzard attack on its systems in January 2024. According to Microsoft, the attackers had breached the corporate network in November 2023 and had been exfiltrating data from email accounts belonging to senior leadership and employees in cybersecurity, legal, and other functions. Midnight Blizzard used a common password spray attack to gain initial access to Microsoft’s network before accessing the email accounts of interest.
Midnight Blizzard, also known as Nobelium, Cozy Bear, and APT29, has been formally tied to Russia’s Foreign Intelligence Service (SVR) by the US government. The group made headlines in 2021 when it was implicated in the SolarWinds supply chain attack. Since then, the threat actor has shifted its focus to technology companies, using tactics such as password spraying and exploiting vulnerabilities in widely used products to gain access to target networks.
One such vulnerability that Midnight Blizzard has aggressively targeted is the CVE-2023-42793 authentication bypass vulnerability in JetBrains TeamCity. This flaw provides the threat actor with access to source code, signing certificates, and the ability to tamper with software compilation and deployment processes. While the SVR/Midnight Blizzard had not yet exploited this access for a SolarWinds-like attack at the time of a CISA advisory in December 2023, it was using the vulnerability to escalate privileges, move laterally, deploy additional payloads, and establish persistence.
Yossi Rachman, senior director of security research at Semperis, suggests that Midnight Blizzard’s targeting of HPE and Microsoft may be part of an information-gathering mission related to the companies’ knowledge of Russian-backed attack groups and cyber offensives. As the cybersecurity industry analyzes the motivations behind these targeted attacks, it’s clear that the threat posed by Midnight Blizzard and other state-sponsored actors remains a critical concern for organizations and governments around the world. The ongoing efforts to infiltrate high-profile technology companies demonstrate the need for robust cybersecurity measures and heightened vigilance in the face of evolving threats.