Midnight Blizzard claims another big tech victim with HPE hack just days after Microsoft breach - and more could be coming

Midnight Blizzard, the Russian-linked hacker group behind a recent high-profile breach at Microsoft, also breached HPE, the company confirmed this week – and more victims are expected to emerge in the coming days. 

HPE confirmed the group began accessing and exfiltrating data from the firm as far back as May 2023, accessing a “small percentage of HPE mailboxes”.

The tech giant said the affected mailboxes belonged largely to staff working in its cyber security, go-to-market, and business segments.

With assistance from external cyber security experts, HPE has reportedly activated its response process to “investigate, contain, and remediate the incident.”

This breach comes in the wake of several high-profile attacks by the threat actor group, which also goes by the names APT29 and Cozy Bear.

Most recently, Midnight Blizzard conducted a sneak-and-peek reconnaissance attack on Microsoft with the intention of finding out what the firm knew about it. As with the attack on HPE, corporate emails and company documents were exfiltrated by the group.

Back in 2019, SolarWinds suffered at the hands of Midnight Blizzard in a hack which had far-reaching consequences on several US governmental bodies, including the department of commerce and the treasury.

This isn't HPE’s first run in with Midnight Blizzard, either. Recent SEC filings state that this current attack is likely related to an earlier attack by the group in June 2023.

In a previously undisclosed breach, Midnight Blizzard gained unauthorized access to several SharePoint files on the HPE system, though HPE determined that it hadn’t materially impacted the company.

Further to this current attack, HPE claims to be cooperating with law enforcement while also assessing its regulatory notification obligations.

Though the full extent of the attack is unclear, HPE seems confident that the incident is not “likely to materially impact the company’s financial condition or results of operations.”

More Midnight Blizzard victims could be coming

Just a week after revealing it had fallen prey to Midnight Blizzard, Microsoft has now revealed an investigation into the attack shows more victims could be coming. 

In a blog post on January 25, the tech giant concluded it was not the sole target of the group, and that it has been “targeting other organizations” operating in the global technology sector.

While Microsoft did not disclose who appears to have been targeted, the company said it has begun notifying those potentially at risk or exposed to the group.

“Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations,” Microsoft said.

It’s important to note that this investigation is still ongoing, and we will continue to provide details as appropriate.

Chis Morgan, senior cyber threat intelligence analyst at ReliaQuest, said the Microsoft and HPE attacks highlight the significant threats technology companies face from state-backed threat groups, many of whom are technically proficient and highly aggressive.

“The latest incident affecting HPE — which follows a recent intrusion made against Microsoft — serves as a reminder of the significant risk facing technology companies from nation-state aligned threats,” he said.

“The attack, which has been attributed to Russian-aligned threat group Cozy Bear (Aka Midnight Blizzard, APT29), highlights the ongoing struggle to stay one step ahead of attackers, who are agile, well resourced, and technically sophisticated.”