Hewlett Packard Enterprise (HPE) mentioned Wednesday that Kremlin-backed actors hacked into the e-mail accounts of its safety personnel and different staff final Might—and maintained surreptitious entry till December. The disclosure was the second revelation of a serious company community breach by the hacking group in 5 days.
The hacking group that hit HPE is identical one which Microsoft mentioned Friday broke into its company community in November and monitored electronic mail accounts of senior executives and safety crew members till being pushed out earlier this month. Microsoft tracks the group as Midnight Blizzard. (Underneath the corporate’s just lately retired menace actor naming conference, which was based mostly on chemical components, the group was referred to as Nobelium.) However it’s maybe higher identified by the identify Cozy Bear—although researchers have additionally dubbed it APT29, the Dukes, Cloaked Ursa, and Darkish Halo.
“On December 12, 2023, Hewlett Packard Enterprise was notified {that a} suspected nation-state actor, believed to be the menace actor Midnight Blizzard, the state-sponsored actor also referred to as Cozy Bear, had gained unauthorized entry to HPE’s cloud-based electronic mail atmosphere,” firm legal professionals wrote in a submitting with the Securities and Trade Fee. “The Firm, with help from exterior cybersecurity consultants, instantly activated our response course of to research, include, and remediate the incident, eradicating the exercise. Primarily based on our investigation, we now consider that the menace actor accessed and exfiltrated knowledge starting in Might 2023 from a small proportion of HPE mailboxes belonging to people in our cybersecurity, go-to-market, enterprise segments, and different capabilities.”
An HPE consultant mentioned in an electronic mail that Cozy Bear’s preliminary entry into the community was by way of “a compromised, inside HPE Workplace 365 electronic mail account [that] was leveraged to realize entry.” The consultant declined to elaborate. The consultant additionally declined to say how HPE found the breach.
Cozy Bear hacking its approach into the e-mail programs of two of the world’s strongest corporations and monitoring prime staff’ accounts for months aren’t the one similarities within the two occasions. Each breaches additionally concerned the compromise of a single gadget on every company community, then escalating that toehold to the community itself. From there, Cozy Bear camped out undetected for months. The HPE intrusion was all of the extra spectacular as a result of Wednesday’s disclosure mentioned that the hackers additionally gained entry to Sharepoint servers in Might. Even after HPE detected and contained that breach a month later, it could take HPE one other six months to find the compromised electronic mail accounts.
The pair of disclosures, coming inside 5 days of one another, could create the impression that there was a latest flurry of hacking exercise. However Cozy Bear has really been some of the energetic nation-state teams since not less than 2010. Within the intervening 14 years, it has waged an nearly fixed sequence of assaults, totally on the networks of governmental organizations and the expertise corporations that provide them. A number of intelligence providers and personal analysis corporations have attributed the hacking group as an arm of Russia’s Overseas Intelligence Service, also referred to as the SVR.
The life and occasions of Cozy Bear (to date)
In its earliest years, Cozy Bear operated in relative obscurity—exactly the area it prefers—because it hacked principally western governmental businesses and associated organizations equivalent to political assume tanks and governmental subcontractors. In 2013, researchers from safety agency Kaspersky unearthed MiniDuke, a classy piece of malware that had taken maintain of 60 authorities businesses, assume tanks, and different high-profile organizations in 23 nations, together with the US, Hungary, Ukraine, Belgium, and Portugal.
MiniDuke was notable for its odd mixture of superior programming and the gratuitous references to literature discovered embedded into its code. (It contained strings that alluded to Dante Alighieri’s Divine Comedy and to 666, the Mark of the Beast mentioned in a verse from the Guide of Revelation.) Written in meeting, using a number of ranges of encryption, and counting on hijacked Twitter accounts and automatic Google searches to take care of stealthy communications with command-and-control servers, MiniDuke was among the many most superior items of malware discovered on the time.
It wasn’t instantly clear who was behind the mysterious malware—one other testomony to the stealth of its creators. In 2015, nevertheless, researchers linked MiniDuke—and 7 different items of beforehand unidentified malware—to Cozy Bear. After a half decade of lurking, the shadowy group was immediately introduced into the sunshine of day.
Cozy Bear as soon as once more got here to prominence the next yr when researchers found the group (together with Fancy Bear, a separate Russian-state hacking group) contained in the servers of the Democratic Nationwide Committee, on the lookout for intelligence equivalent to opposition analysis into Donald Trump, the Republication nominee for president on the time. The hacking group resurfaced within the days following Trump’s election victory that yr with a serious spear-phishing blitz that focused dozens of organizations in authorities, army, protection contracting, media, and different industries.
One in every of Cozy Bear’s crowning achievements got here in late 2020 with the invention of an in depth provide chain assault that focused prospects of SolarWinds, the Austin, Texas, maker of community administration instruments. After compromising SolarWinds’ software program construct system, the hacking group pushed contaminated updates to roughly 18,000 prospects. The hackers then used the updates to compromise 9 federal businesses and about 100 non-public corporations, White Home officers have mentioned.
Cozy Bear has remained energetic, with a number of campaigns coming to mild in 2021, together with one which used zero-day vulnerabilities to contaminate totally up to date iPhones. Final yr, the group devoted a lot of its time to hacks of Ukraine.