
Getty Photos
Hewlett Packard Enterprise (HPE) stated Wednesday that Kremlin-backed actors hacked into the e-mail accounts of its safety personnel and different staff final Could—and maintained surreptitious entry till December. The disclosure was the second revelation of a serious company community breach by the hacking group in 5 days.
The hacking group that hit HPE is similar one which Microsoft stated Friday broke into its company community in November and monitored e-mail accounts of senior executives and safety workforce members till being pushed out earlier this month. Microsoft tracks the group as Midnight Blizzard. (Beneath the corporate’s not too long ago retired risk actor naming conference, which was primarily based on chemical components, the group was often called Nobelium.) However it’s maybe higher identified by the title Cozy Bear—although researchers have additionally dubbed it APT29, the Dukes, Cloaked Ursa, and Darkish Halo.
“On December 12, 2023, Hewlett Packard Enterprise was notified {that a} suspected nation-state actor, believed to be the risk actor Midnight Blizzard, the state-sponsored actor often known as Cozy Bear, had gained unauthorized entry to HPE’s cloud-based e-mail surroundings,” firm legal professionals wrote in a submitting with the Securities and Change Fee. “The Firm, with help from exterior cybersecurity consultants, instantly activated our response course of to analyze, comprise, and remediate the incident, eradicating the exercise. Primarily based on our investigation, we now consider that the risk actor accessed and exfiltrated knowledge starting in Could 2023 from a small share of HPE mailboxes belonging to people in our cybersecurity, go-to-market, enterprise segments, and different features.”
An HPE consultant stated in an e-mail that Cozy Bear’s preliminary entry into the community was via “a compromised, inner HPE Workplace 365 e-mail account [that] was leveraged to realize entry.” The consultant declined to elaborate. The consultant additionally declined to say how HPE found the breach.
Cozy Bear hacking its approach into the e-mail techniques of two of the world’s strongest firms and monitoring prime staff’ accounts for months aren’t the one similarities between the 2 occasions. Each breaches additionally concerned compromising a single machine on every company community, then escalating that toehold to the community itself. From there, Cozy Bear camped out undetected for months. The HPE intrusion was all of the extra spectacular as a result of Wednesday’s disclosure stated that the hackers additionally gained entry to Sharepoint servers in Could. Even after HPE detected and contained that breach a month later, it might take HPE one other six months to find the compromised e-mail accounts.
The pair of disclosures, coming inside 5 days of one another, could create the impression that there was a current flurry of hacking exercise. However Cozy Bear has truly been one of the lively nation-state teams since no less than 2010. Within the intervening 14 years, it has waged an nearly fixed sequence of assaults, totally on the networks of governmental organizations and the expertise firms that provide them. A number of intelligence companies and personal analysis firms have attributed the hacking group as an arm of Russia’s Overseas Intelligence Service, often known as the SVR.
The life and instances of Cozy Bear (thus far)
In its earliest years, Cozy Bear operated in relative obscurity—exactly the area it prefers—because it hacked largely Western governmental businesses and associated organizations reminiscent of political suppose tanks and governmental subcontractors. In 2013, researchers from safety agency Kaspersky unearthed MiniDuke, a complicated piece of malware that had taken maintain of 60 authorities businesses, suppose tanks, and different high-profile organizations in 23 international locations, together with the US, Hungary, Ukraine, Belgium, and Portugal.
MiniDuke was notable for its odd mixture of superior programming and the gratuitous references to literature discovered embedded into its code. (It contained strings that alluded to Dante Alighieri’s Divine Comedy and to 666, the Mark of the Beast mentioned in a verse from the Ebook of Revelation.) Written in meeting, using a number of ranges of encryption, and counting on hijacked Twitter accounts and automatic Google searches to keep up stealthy communications with command-and-control servers, MiniDuke was among the many most superior items of malware discovered on the time.
It wasn’t instantly clear who was behind the mysterious malware—one other testomony to the stealth of its creators. In 2015, nevertheless, researchers linked MiniDuke—and 7 different items of beforehand unidentified malware—to Cozy Bear. After a half-decade of lurking, the shadowy group was out of the blue introduced into the sunshine of day.
Cozy Bear as soon as once more got here to prominence the next 12 months when researchers found the group (together with Fancy Bear, a separate Russian-state hacking group) contained in the servers of the Democratic Nationwide Committee, in search of intelligence reminiscent of opposition analysis into Donald Trump, the Republican nominee for president on the time. The hacking group resurfaced within the days following Trump’s election victory that 12 months with a main spear-phishing blitz that focused dozens of organizations in authorities, army, protection contracting, media, and different industries.
Considered one of Cozy Bear’s crowning achievements got here in late 2020 with the invention of an in depth provide chain assault that focused clients of SolarWinds, the Austin, Texas, maker of community administration instruments. After compromising SolarWinds’ software program construct system, the hacking group pushed contaminated updates to roughly 18,000 clients. The hackers then used the updates to compromise 9 federal businesses and about 100 personal firms, White Home officers have stated.
Cozy Bear has remained lively, with a number of campaigns coming to gentle in 2021, together with one which used zero-day vulnerabilities to infect absolutely up to date iPhones. Final 12 months, the group devoted a lot of its time to hacks of Ukraine.

Getty Photos
Hewlett Packard Enterprise (HPE) stated Wednesday that Kremlin-backed actors hacked into the e-mail accounts of its safety personnel and different staff final Could—and maintained surreptitious entry till December. The disclosure was the second revelation of a serious company community breach by the hacking group in 5 days.
The hacking group that hit HPE is similar one which Microsoft stated Friday broke into its company community in November and monitored e-mail accounts of senior executives and safety workforce members till being pushed out earlier this month. Microsoft tracks the group as Midnight Blizzard. (Beneath the corporate’s not too long ago retired risk actor naming conference, which was primarily based on chemical components, the group was often called Nobelium.) However it’s maybe higher identified by the title Cozy Bear—although researchers have additionally dubbed it APT29, the Dukes, Cloaked Ursa, and Darkish Halo.
“On December 12, 2023, Hewlett Packard Enterprise was notified {that a} suspected nation-state actor, believed to be the risk actor Midnight Blizzard, the state-sponsored actor often known as Cozy Bear, had gained unauthorized entry to HPE’s cloud-based e-mail surroundings,” firm legal professionals wrote in a submitting with the Securities and Change Fee. “The Firm, with help from exterior cybersecurity consultants, instantly activated our response course of to analyze, comprise, and remediate the incident, eradicating the exercise. Primarily based on our investigation, we now consider that the risk actor accessed and exfiltrated knowledge starting in Could 2023 from a small share of HPE mailboxes belonging to people in our cybersecurity, go-to-market, enterprise segments, and different features.”
An HPE consultant stated in an e-mail that Cozy Bear’s preliminary entry into the community was via “a compromised, inner HPE Workplace 365 e-mail account [that] was leveraged to realize entry.” The consultant declined to elaborate. The consultant additionally declined to say how HPE found the breach.
Cozy Bear hacking its approach into the e-mail techniques of two of the world’s strongest firms and monitoring prime staff’ accounts for months aren’t the one similarities between the 2 occasions. Each breaches additionally concerned compromising a single machine on every company community, then escalating that toehold to the community itself. From there, Cozy Bear camped out undetected for months. The HPE intrusion was all of the extra spectacular as a result of Wednesday’s disclosure stated that the hackers additionally gained entry to Sharepoint servers in Could. Even after HPE detected and contained that breach a month later, it might take HPE one other six months to find the compromised e-mail accounts.
The pair of disclosures, coming inside 5 days of one another, could create the impression that there was a current flurry of hacking exercise. However Cozy Bear has truly been one of the lively nation-state teams since no less than 2010. Within the intervening 14 years, it has waged an nearly fixed sequence of assaults, totally on the networks of governmental organizations and the expertise firms that provide them. A number of intelligence companies and personal analysis firms have attributed the hacking group as an arm of Russia’s Overseas Intelligence Service, often known as the SVR.
The life and instances of Cozy Bear (thus far)
In its earliest years, Cozy Bear operated in relative obscurity—exactly the area it prefers—because it hacked largely Western governmental businesses and associated organizations reminiscent of political suppose tanks and governmental subcontractors. In 2013, researchers from safety agency Kaspersky unearthed MiniDuke, a complicated piece of malware that had taken maintain of 60 authorities businesses, suppose tanks, and different high-profile organizations in 23 international locations, together with the US, Hungary, Ukraine, Belgium, and Portugal.
MiniDuke was notable for its odd mixture of superior programming and the gratuitous references to literature discovered embedded into its code. (It contained strings that alluded to Dante Alighieri’s Divine Comedy and to 666, the Mark of the Beast mentioned in a verse from the Ebook of Revelation.) Written in meeting, using a number of ranges of encryption, and counting on hijacked Twitter accounts and automatic Google searches to keep up stealthy communications with command-and-control servers, MiniDuke was among the many most superior items of malware discovered on the time.
It wasn’t instantly clear who was behind the mysterious malware—one other testomony to the stealth of its creators. In 2015, nevertheless, researchers linked MiniDuke—and 7 different items of beforehand unidentified malware—to Cozy Bear. After a half-decade of lurking, the shadowy group was out of the blue introduced into the sunshine of day.
Cozy Bear as soon as once more got here to prominence the next 12 months when researchers found the group (together with Fancy Bear, a separate Russian-state hacking group) contained in the servers of the Democratic Nationwide Committee, in search of intelligence reminiscent of opposition analysis into Donald Trump, the Republican nominee for president on the time. The hacking group resurfaced within the days following Trump’s election victory that 12 months with a main spear-phishing blitz that focused dozens of organizations in authorities, army, protection contracting, media, and different industries.
Considered one of Cozy Bear’s crowning achievements got here in late 2020 with the invention of an in depth provide chain assault that focused clients of SolarWinds, the Austin, Texas, maker of community administration instruments. After compromising SolarWinds’ software program construct system, the hacking group pushed contaminated updates to roughly 18,000 clients. The hackers then used the updates to compromise 9 federal businesses and about 100 personal firms, White Home officers have stated.
Cozy Bear has remained lively, with a number of campaigns coming to gentle in 2021, together with one which used zero-day vulnerabilities to infect absolutely up to date iPhones. Final 12 months, the group devoted a lot of its time to hacks of Ukraine.