Breach taxonomy
Summary
Beginning as early as May 2023, a nation-state actor identified as Midnight Blizzard (Cozy Bear/SVR) gained unauthorized access to HPE's cloud-based email environment and exfiltrated data from a small percentage of HPE mailboxes in cybersecurity, go-to-market, and business segment functions. The activity was likely related to an earlier June 2023 breach involving unauthorized access to and exfiltration of a limited number of SharePoint files. HPE was notified of the email environment compromise on December 12, 2023 and immediately activated its incident response process to investigate, contain, and remediate the activity.
Tagging rationale
ThreatNation State
Filing explicitly identifies the actor as Midnight Blizzard, described as a state-sponsored actor also known as Cozy Bear.
MethodsData Exfil
Filing confirms the actor accessed and exfiltrated data from email mailboxes and a limited number of SharePoint files; no initial attack vector is described.
AssetsConfidential BizPersonal Data
Filing discloses exfiltration from HPE email mailboxes (cybersecurity, go-to-market, business segment functions) and earlier exfiltration of SharePoint files — containing confidential business information.
EffectsInfo Privacy Loss
Exfiltration of email and SharePoint data with no operational disruption mentioned; earlier SharePoint breach was determined not to materially impact the Company.
Impact
Nation-state actor (Midnight Blizzard/Cozy Bear) exfiltrated email and SharePoint data over several months, targeting cybersecurity and business leadership; described as a small percentage of mailboxes with no operational disruption.
InsuranceNot disclosed
Filing makes no mention of insurance.
Read the original SEC filing excerpt
Item 1.05 Material Cybersecurity Incidents On December 12, 2023, Hewlett Packard Enterprise Company was notified that a suspected nation-state actor, believed to be the threat actor Midnight Blizzard, the state-sponsored actor also known as Cozy Bear, had gained unauthorized access to HPE's cloud-based email environment. The Company, with assistance from external cybersecurity experts, immediately activated our response process to investigate, contain, and remediate the incident, eradicating the activity. Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions. While our investigation of this incident and its scope remains ongoing, the Company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023. Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity. Upon undertaking such actions, we determined that such activity did not materially impact the Company. We have notified and are cooperating with law enforcement and are also assessing our regulatory notification obligations, and we will make notifications as appropriate based on our investigation findings.