Hewlett Packard Enterprise said that a suspected Russian nation-state actor, APT29, was able to gain unauthorized access to its email environment, days after Microsoft said the same group was able to access the corporate email accounts of its senior leadership team.
In a Form 8-K filed with the U.S. Securities and Exchange Commission (SEC) on Jan. 19, HPE said that on Dec. 12 it was notified that APT29 had gained unauthorized access to its email environment. After further investigation into the incident, the company found that APT29 was able to access and exfiltrate data starting in May from “a small percentage of HPE mailboxes” belonging to individuals across its cybersecurity, go-to-market and business segments. HPE said that the incident appears to be related to earlier activity by the threat actors against the company: In June, HPE had been notified that APT29 had gained unauthorized access to “a limited number of SharePoint files” as early as May.
“Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity,” said HPE in its filing. “Upon undertaking such actions, we determined that such activity did not materially impact the Company.”
After the Dec. 12 discovery, HPE said it worked to investigate and remediate the incident, "eradicating the activity." An HPE spokesperson said that the threat actor leveraged a compromised account to access internal HPE email boxes in the Office 365 email environment.
The disclosure follows a separate Form 8-K filing from Microsoft on Jan. 17, where the company said it detected an attack by APT29 on Jan. 12 and that starting in November threat actors had been able to access “a very small percentage of Microsoft corporate email accounts” belonging to its senior leadership team, as well as employees in its cybersecurity, legal and other segments. Microsoft said that APT29 appeared to be targeting the email accounts looking for information related to the nation-state group itself. The threat actor had used a password spray attack to compromise a legacy non-production test tenant and use the account’s permissions to access the accounts.
APT29, a Russian espionage group that has been tracked by Mandiant since 2014, has previously targeted the U.S. and countries part of NATO, and has been behind major attacks including the SolarWinds supply-chain intrusion. While APT29 was pinned as the group behind attacks on both HPE and Microsoft, there has been no indication that these two incidents are part of the same campaign or not.
SEC Filings And Disclosure
These incidents were reported via filings to the SEC, and they are part of the first wave of disclosures under the SEC’s cyber regulations, which went into effect in December.
The cyber rules come with a number of implications for companies, but the most significant mandate requires public companies to disclose incidents within four business days of determining that they’re material, meaning “‘there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have ‘significantly altered the ‘total mix’ of information made available,’” according to the SEC.
However, the cyber rules gave organizations wiggle room to define materiality, leaving many questioning how companies would interpret this factor when determining what types of incidents they should disclose.
Both Microsoft and HPE said that as of the date of filing, they had determined that the incidents had not had a material impact on company operations. Both companies also said they had not determined the incident “is reasonably likely to” materially impact their operations.
When making the materiality determination, an HPE spokesperson said that "there was no interruption of business operations as a result of this matter and this was not related to any vulnerability in HPE products or services. In that light, and based on what we’ve learned to date from our investigation, we determined there was no material impact."
Merritt Baer, field CISO at Lacework, sad that these filings, along with a recent one from VFCorp outlining a hack that led to the breach of the personal data of 35.5 million consumers, “indicated that the organization is still actively working to better understand the situation, but have filed a disclosure because they determined that it is, or might be, reasonably likely to result in a material impact.”
“I think companies are weighing overreporting vs underreporting,” said Baer. “Clearly the math weighed in the direction of reporting for these companies. We aren’t reading about the ones that didn’t report, so we have some bias in what’s showing up. But I also think that because the SEC is still ironing out when and how they’ll enforce these rules, some entities may choose to report rather than risk enforcement later on."