The Russian Advanced Persistent Threat (APT) group known as 'Midnight Blizzard', also recognized by names such as Nobelium, Cozy Bear, and APT29, has been implicated in data breaches at both Hewlett-Packard Enterprise (HPE) and Microsoft. The group first breached HPE's cloud-hosted email environment in May 2023, extracting data from a limited number of accounts across various company sectors including cybersecurity, marketing, and business. HPE became aware of the intrusion in December 2023 and has since been working with external cybersecurity experts to comprehend the full extent and exact timeline of the attack. According to an 8-K SEC filing, HPE stated, "The Company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023."
In January 2023, Microsoft also fell victim to a 'Midnight Blizzard' attack, with the company revealing that the threat actor likely breached its systems in November 2023. The group accessed and exfiltrated information from email accounts belonging to senior leadership and employees in cybersecurity, legal, and other functions. The initial access point for the threat actor was a legacy non-production test account, which was breached using a common password spray attack. Microsoft has pledged to enhance its security protocols, particularly those related to its legacy systems, in the aftermath of the attack.
The 'Midnight Blizzard' group has been formally linked to Russia's Foreign Intelligence Service (SVR) by the US government. The group was identified by the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency as responsible for the SolarWinds breach in 2021. The group has been active since around 2009, initially focusing on political intelligence gathering, but has since shifted focus towards technology companies. Notable exploits include CVE-2018-13379 in Fortinet devices; CVE-2019-9670 in Zimbra, CVE-2019-11510 in Pulse Secure VPN, CVE-2019-1978 in Citrix, and CVE-2020-4006 affecting VMware. In a recent advisory, CISA added CVE-2023-42793, an authentication bypass vulnerability in JetBrains TeamCity, to the list of vulnerabilities aggressively targeted by the group.
The cybersecurity community is currently speculating about the motivations behind 'Midnight Blizzard's' targeted attacks. Yossi Rachman, senior director of security research at Semperis, suggests, "Currently, it is highly likely they are on an information gathering mission to glean any information HP security pros and Microsoft has on Russian-backed attack groups and the Russian cyber offensive efforts as a whole."