Getty Photographs
Hewlett Packard Enterprise (HPE) mentioned Wednesday that Kremlin-backed actors hacked into the e-mail accounts of its safety personnel and different staff final Could—and maintained surreptitious entry till December. The disclosure was the second revelation of a significant company community breach by the hacking group in 5 days.
The hacking group that hit HPE is similar one which Microsoft mentioned Friday broke into its company community in November and monitored electronic mail accounts of senior executives and safety workforce members till being pushed out earlier this month. Microsoft tracks the group as Midnight Blizzard. (Beneath the corporate’s just lately retired menace actor naming conference, which was primarily based on chemical parts, the group was generally known as Nobelium.) However it’s maybe higher recognized by the title Cozy Bear—although researchers have additionally dubbed it APT29, the Dukes, Cloaked Ursa, and Darkish Halo.
“On December 12, 2023, Hewlett Packard Enterprise was notified {that a} suspected nation-state actor, believed to be the menace actor Midnight Blizzard, the state-sponsored actor also called Cozy Bear, had gained unauthorized entry to HPE’s cloud-based electronic mail atmosphere,” firm attorneys wrote in a submitting with the Securities and Trade Fee. “The Firm, with help from exterior cybersecurity consultants, instantly activated our response course of to research, comprise, and remediate the incident, eradicating the exercise. Based mostly on our investigation, we now imagine that the menace actor accessed and exfiltrated knowledge starting in Could 2023 from a small proportion of HPE mailboxes belonging to people in our cybersecurity, go-to-market, enterprise segments, and different capabilities.”
An HPE consultant mentioned in an electronic mail that Cozy Bear’s preliminary entry into the community was by “a compromised, inside HPE Workplace 365 electronic mail account [that] was leveraged to achieve entry.” The consultant declined to elaborate. The consultant additionally declined to say how HPE found the breach.
Cozy Bear hacking its method into the e-mail methods of two of the world’s strongest firms and monitoring prime staff’ accounts for months aren’t the one similarities between the 2 occasions. Each breaches additionally concerned compromising a single gadget on every company community, then escalating that toehold to the community itself. From there, Cozy Bear camped out undetected for months. The HPE intrusion was all of the extra spectacular as a result of Wednesday’s disclosure mentioned that the hackers additionally gained entry to Sharepoint servers in Could. Even after HPE detected and contained that breach a month later, it could take HPE one other six months to find the compromised electronic mail accounts.
The pair of disclosures, coming inside 5 days of one another, could create the impression that there was a latest flurry of hacking exercise. However Cozy Bear has really been one of the crucial lively nation-state teams since at the least 2010. Within the intervening 14 years, it has waged an virtually fixed collection of assaults, totally on the networks of governmental organizations and the know-how firms that offer them. A number of intelligence companies and personal analysis firms have attributed the hacking group as an arm of Russia’s International Intelligence Service, also called the SVR.
The life and occasions of Cozy Bear (to date)
In its earliest years, Cozy Bear operated in relative obscurity—exactly the area it prefers—because it hacked largely Western governmental businesses and associated organizations akin to political assume tanks and governmental subcontractors. In 2013, researchers from safety agency Kaspersky unearthed MiniDuke, a complicated piece of malware that had taken maintain of 60 authorities businesses, assume tanks, and different high-profile organizations in 23 international locations, together with the US, Hungary, Ukraine, Belgium, and Portugal.
MiniDuke was notable for its odd mixture of superior programming and the gratuitous references to literature discovered embedded into its code. (It contained strings that alluded to Dante Alighieri’s Divine Comedy and to 666, the Mark of the Beast mentioned in a verse from the Guide of Revelation.) Written in meeting, using a number of ranges of encryption, and counting on hijacked Twitter accounts and automatic Google searches to take care of stealthy communications with command-and-control servers, MiniDuke was among the many most superior items of malware discovered on the time.
It wasn’t instantly clear who was behind the mysterious malware—one other testomony to the stealth of its creators. In 2015, nevertheless, researchers linked MiniDuke—and 7 different items of beforehand unidentified malware—to Cozy Bear. After a half-decade of lurking, the shadowy group was out of the blue introduced into the sunshine of day.
Cozy Bear as soon as once more got here to prominence the next 12 months when researchers found the group (together with Fancy Bear, a separate Russian-state hacking group) contained in the servers of the Democratic Nationwide Committee, on the lookout for intelligence akin to opposition analysis into Donald Trump, the Republican nominee for president on the time. The hacking group resurfaced within the days following Trump’s election victory that 12 months with a significant spear-phishing blitz that focused dozens of organizations in authorities, army, protection contracting, media, and different industries.
Considered one of Cozy Bear’s crowning achievements got here in late 2020 with the invention of an in depth provide chain assault that focused prospects of SolarWinds, the Austin, Texas, maker of community administration instruments. After compromising SolarWinds’ software program construct system, the hacking group pushed contaminated updates to roughly 18,000 prospects. The hackers then used the updates to compromise 9 federal businesses and about 100 personal firms, White Home officers have mentioned.
Cozy Bear has remained lively, with a number of campaigns coming to gentle in 2021, together with one which used zero-day vulnerabilities to contaminate absolutely up to date iPhones. Final 12 months, the group devoted a lot of its time to hacks of Ukraine.
