HPE Notifies Employees of Data Breach After Russian Office 365 Hack

Hewlett Packard Enterprise (HPE) is notifying employees about a data breach that resulted from a cyberattack on the company’s Office 365 email environment by Russian state-sponsored hackers. The attack, which occurred in May 2023, compromised sensitive personal and financial data of some employees.

The Data Breach and HPE’s Response

According to filings with Attorney General offices in New Hampshire and Massachusetts, HPE began sending breach notification letters last month. At least 16 individuals have been identified as having had their driver's licenses, credit card numbers, and Social Security numbers stolen in the breach.

HPE's forensic investigation determined that certain individuals' personal information may have been subject to unauthorized access,” the company stated in the notification letters. “On January 29, 2025, HPE began providing notice of this event to impacted individuals, in accordance with applicable law.”

When asked about the number of affected employees, an HPE spokesperson clarified that the breach was limited to a small group of HPE team members. “A limited group of HPE team member mailboxes were accessed, and only the information contained in those mailboxes was involved,” the spokesperson said.

Who is Behind the Attack?

The group responsible for the cyberattack is Cozy Bear, also known as Midnight Blizzard, APT29, and Nobelium. Cozy Bear is linked to Russia's Foreign Intelligence Service (SVR) and has a history of conducting high-profile cyberattacks, including the 2020 SolarWinds supply chain attack that affected numerous government agencies and corporations.

HPE’s SEC Disclosure and Further Investigations

HPE first disclosed the breach in an SEC filing on January 29, 2024. The company revealed that it was notified on December 12, 2023, that suspected Russian hackers had gained access to its cloud-based Office 365 email environment as early as May 2023 by using a compromised account.

We determined that this nation-state actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions. We believe the nation-state actor is Midnight Blizzard, also known as Cozy Bear.

The company emphasized that the attack was limited to data contained within user mailboxes and that it was conducting further investigations. “The accessed data is limited to information contained in the users' mailboxes. We continue to investigate and will make appropriate notifications as required.”

SharePoint Server Also Breached

In the same SEC filing, HPE indicated that the Office 365 breach was likely linked to another attack that occurred in May 2023, where threat actors accessed the company's SharePoint server and stole files.

This suggests that the attackers may have gained access to additional sensitive corporate information beyond email communications. The full extent of the damage caused by the breach is still under investigation.

Connections to Microsoft’s Cozy Bear Hack

The disclosure of the HPE breach came just days after Microsoft warned of a similar cyberattack by Cozy Bear. The hackers had reportedly stolen data from corporate email accounts and source code repositories.

Microsoft revealed that the attack began in November 2024, when Cozy Bear successfully executed a password spray attack, targeting a legacy non-production test tenant account. This breach allowed them to escalate their access within Microsoft’s network, ultimately leading to the theft of sensitive information.

HPE’s History of Cybersecurity Incidents

This is not the first time HPE has been the target of a major cyberattack.

2018 Breach by Chinese Hackers: In 2018, HPE suffered a breach in which Chinese malicious actors gained access to its network. The attackers leveraged this access to infiltrate the devices of HPE customers, leading to significant security concerns.

2021 Aruba Central Data Exposure: In 2021, HPE disclosed that its Aruba Central network monitoring platform had been compromised. The incident allowed threat actors to access information about monitored devices and their locations.

2024 and 2025 IntelBroker Claims: More recently, in February 2024 and January 2025, HPE investigated potential security breaches after a threat actor known as IntelBroker claimed to have stolen HPE credentials, source code, and other sensitive corporate data.

How Cozy Bear Operates

Cozy Bear has a long history of using sophisticated techniques to infiltrate high-value targets. Their methods include:

Phishing and Credential Theft: They often use spear-phishing attacks to trick employees into revealing login credentials.

Password Spraying: This method involves using commonly used passwords to gain access to accounts without triggering account lockouts.

Exploiting Software Vulnerabilities: Cozy Bear is known for identifying and exploiting security flaws in software applications and cloud environments.

Persistence and Lateral Movement: Once inside a network, Cozy Bear employs various tactics to maintain access and move laterally within the system to reach sensitive data.

Implications for HPE Employees and Clients

While HPE has not disclosed the total number of affected individuals, the theft of Social Security numbers, credit card details, and driver's license information poses serious risks to employees. The compromised data could be used for:

Identity theft and financial fraud

• Phishing campaigns targeting affected individuals
• Further cyberattacks leveraging stolen credentials
• Employees are advised to:
• Monitor their financial accounts for unauthorized transactions
• Change passwords and enable multi-factor authentication (MFA) on all sensitive accounts
• Be cautious of phishing attempts that may use stolen personal information

Steps Organizations Can Take to Prevent Similar Attacks

The HPE breach highlights the importance of robust cybersecurity measures, particularly for companies that store and process sensitive information. Organizations can take the following steps to strengthen their defenses:

Implement Strong Authentication Measures: Enforcing multi-factor authentication (MFA) reduces the risk of unauthorized access.

Monitor for Suspicious Activity: Regularly review logs and user activities to detect potential breaches early.

Restrict Access to Sensitive Data: Apply the principle of least privilege (PoLP) to limit user access to critical systems.

Conduct Security Awareness Training: Employees should be trained to recognize phishing attempts and social engineering tactics.

Regular Security Audits and Patch Management: Ensuring all systems are updated with the latest security patches helps prevent exploits.

Conclusion

HPE’s notification of employees regarding the Office 365 data breach marks yet another cybersecurity incident linked to Russian state-sponsored hackers. The breach, which exposed personal and financial information, underscores the evolving threats that global corporations face from sophisticated cyber adversaries like Cozy Bear.

As HPE continues its investigations, the incident serves as a reminder for all organizations to reinforce their cybersecurity measures and remain vigilant against nation-state cyber threats. Moving forward, proactive security strategies will be crucial in mitigating the risks posed by increasingly sophisticated cyberattacks.