Malicious Hackers Behind SolarWinds Attack Target HPE

Nobelium, the Russian nation-state hacking group behind the massive SolarWinds attack, has targeted HPE, exfiltrating data starting last May.

Earlier this week, Microsoft reported the group compromised a small number of its email accounts, including those belonging to senior staff. That attack was detected on Jan. 12, with the company implementing a response plan to disrupt the activity and investigate what happened.

HPE disclosed its attack in a U.S. Securities and Exchange Commission (SEC) filing. On Dec. 12, HPE was notified that a suspected nation-state actor, believed to be Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium, had gained unauthorized access to its cloud-based email environment.

HPE, with assistance from external cybersecurity experts, immediately activated its response process to investigate, contain, and remediate the incident, eradicating the activity, it said.

“Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” HPE said. “While our investigation of this incident and its scope remains ongoing, the company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023. Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity. Upon undertaking such actions, we determined that such activity did not materially impact the company.”

Related:Russian Hackers of SolarWinds Compromise Microsoft Corporate Email Accounts

HPE said the incident has not had a material impact on its operations, and the company has not determined whether the incident is likely to materially impact its financial condition or results of operations.

Not Surprising Those Behind SolarWinds Attack Are Still Active

Hen Amartely, director of product marketing at DoControl, said cloud-based productivity tools have many advantages, but typically security is not one of them.

DoControl's Hen Armartely

“In this case, it seems that vulnerabilities in a cloud-based email platform were used by attackers to gain access to mailboxes and potentially other collaborative content belonging to key people in HPE, much like was disclosed earlier this month about Microsoft,” she said. “The cloud genie is out of the bottle, and isn't going back in. The best option for organizations using these kinds of SaaS productivity tools is to invest in security tooling that can monitor these platforms for anomalous and irregular acts or behavior, and then alert on and/or remediate those actions.”

Related:SolarWinds Hack: More Surprises, Plus Why Heads Didn't Roll

It's definitely not surprising that the organization that perpetrated the SolarWinds attack has other tricks and targets, Amartely said.

“Given the reference to cloud-based email and SharePoint, it's likely the same tactics were used to gain access to both Microsoft and HPE's cloud-based productivity tools,” she said. “Both organizations are large players in IT and cybersecurity, as well as very large enterprises in their own right, so they are logical targets for threat actors in both those capacities.”

Differences Between HPE, Microsoft Attacks

Sarah Jones, cyber threat intelligence research analyst at Critical Start, said HPE's attack involved data exfiltration similar to the Microsoft incident, but differed in the accessed mailboxes and potential connection to a prior SharePoint incident.

Critical Start's Sarah Jones

“This prompts inquiries about the specific targeting approach and whether broader network access was achieved,” she said. “Attribution to Nobelium is based on circumstantial evidence and expertise assessment, acknowledging the possibility of other actors' involvement. Ultimately, more information is needed to fully comprehend the connection between these attacks and Nobelium's long-term objectives.”

John Bambenek, president of Bambenek Consulting, said this threat actor behind the SolarWinds attack is highly sophisticated and it doesn’t surprise him that they pulled this off.

“Sometimes it’s coincidence that high-visibility hacks by this group are close together, but I suspect given the similarities, they are trying to get at something specific and all major technology firms should take note that Russian intelligence groups may be preparing to make good on their threats to punish the West over Ukraine,” he said.