The News: Hewlett Packard Enterprise (HPE) and Microsoft report being the latest targets of Russia-linked hacking group Midnight Blizzard (also known as APT29, Cozy Bear, and Nobelium). This group was also behind the notorious SolarWinds attack of 2020. The breaches are just the latest examples of cyber-crime raising serious concerns about the evolving tactics of state-sponsored actors. You can read the Microsoft blog overviewing the attacks as well as the Microsoft blog with recommendations.
Implications of the Midnight Blizzard Attacks on HPE and Microsoft
Analyst Take: Microsoft revealed an intrusion by Midnight Blizzard that most likely dates back to November 2023. The threat actors used a password spray approach to obtain access to a legacy, non-production test account of Microsoft’s. From there, the attackers were able to identify and compromise a legacy test OAuth application that had privileged access to Microsoft’s corporate environment. OAuth is an open standard for access delegation. Email accounts of senior leadership and other critical teams such as security and legal were then targeted to exfiltrate messages and attachments. This was a “sneak and peek” attack: Midnight Blizzard was looking to uncover what information Microsoft had on the organization, and core products and customer data were not compromised.
Shortly thereafter, HPE announced that it had also been breached by Midnight Blizzard, with data access and exfiltration from what it deems “a small percentage” of HPE employee cloud-hosted mailboxes dating as far back as May 2023. Cybersecurity, go-to-market, and other line-of-business teams were all targeted. In a similar vein to Microsoft, HPE claims there is no evidence that its customer-facing GreenLake service was impacted.
Beyond these two specific tech titans being targeted, the breaches have a number of broader implications when it comes to the overall state of cyberattacks. In addition to reflecting the prevalence of state-sponsored advanced persistent threats, these implications include:
- The growing sophistication of attacks when it comes to stealing intellectual property (IP) and obtaining business intelligence (BI). These include targeted espionage and strategic intelligence gathering that use complex social engineering techniques and multi-month dwell times.
- The need for transparency when it comes to attacks. Both companies filed with the SEC, in accordance with a new rule that went into effect on December 15, 2023, that requires publicly traded companies to disclose major cyberattacks within four business days of determining an incident is material for its shareholders. Additionally, Microsoft released a blog overviewing the attack and another blog providing guidance on how to protect against such types of attacks. Especially as attack methods evolve, transparency and communication can go a long way in helping to avoid other companies from falling victim.
- Midnight Blizzard knew it was high profile and being tracked, especially following the SolarWinds attack, which had broad implications including on the US government. It was trying to gauge what Microsoft and HPE knew about it, and it is not a far reach to suspect that other organizations will also be targeted.
- Microsoft 365 mailboxes continue to be more prominent attacks. These attacks follow a May 2023 breach of Microsoft cloud mailboxes by China-linked hacking group Storm-0558, which led to the compromise of email accounts belonging to a number of US government agencies.
Looking ahead, recommended best practices to protect against the rise of state-sponsored attacks include auditing privilege levels for user and service accounts and restricting privileges only to what the account needs to get the job done.
Additionally, anomaly detection to uncover malicious applications and application controls is important. The need for advanced detection, and, ultimately, response capabilities is underscored by the sophisticated and evolving nature of attacks, as well as their extended dwell times. For example, Midnight Blizzard used a vast number of legitimate residential IP addresses to launch password spray attacks against targeted accounts at Microsoft to avoid detection. Attackers then created additional malicious OAuth applications, as well as a new user account to grant consent in the Microsoft corporate environment to the actor-controlled malicious OAuth applications. Some of these permissions can persist even if an originally compromised account is disabled or deleted.
Finally, supply chain vulnerabilities remain a material issue, even when relying on prominent and well-established service and technology providers. Regular auditing and remaining committed to implementing robust security measures is always necessary. Such is especially a consideration as supply chains are more decentralized than ever before.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other Insights from The Futurum Group:
From Breach Recovery to AI-Powered Resilience
2024 Outlook – Infrastructure Matters, Episode 26
Microsoft Unifies Security Ops with Copilot AI-Augmented Platform
Author Information
Krista Case brings over 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
