January 25, 2024 at 02:29PM
Russian threat actor “Midnight Blizzard,” also known as Nobelium, breached both Hewlett-Packard Enterprise’s (HPE) and Microsoft’s email environments, exfiltrating data from senior leadership and other segments. Both companies were unaware of the breaches until months later, highlighting the threat’s insidious nature. The attack serves as a sobering reminder of the increasing risks posed by state-sponsored threat actors.
Key takeaways from the meeting notes:
– Russian threat actor “Midnight Blizzard,” also known as Nobelium, Cozy Bear, and APT29, breached both Hewlett-Packard Enterprise (HPE) and Microsoft’s corporate systems.
– HPE’s cloud-hosted email environment was breached by Midnight Blizzard in May 2023, with data exfiltrated from accounts in the company’s cybersecurity, marketing, business, and other segments. The company became aware of the intrusion on Dec. 12, 2023.
– Microsoft detected a Midnight Blizzard attack on its corporate systems in November 2023 and disclosed it in a blog post. The attacker gained initial access by using a common password spray attack to breach a legacy non-production test account.
– Midnight Blizzard has been formally tied to Russia’s Foreign Intelligence Service (SVR) and has been focusing heavily on technology companies, including “low and slow” password spraying and exploits against vulnerabilities in widely used products.
– The threat actor has been extensively targeting the JetBrains TeamCity vulnerability (CVE-2023-42793) and has not used the access provided to pull off a SolarWinds-like attack but is using it to escalate privileges, move laterally, deploy additional payloads, and establish persistence.
– Midnight Blizzard’s motivations for these targeted attacks are likely related to gathering information on Russian-backed attack groups and Russian cyber offensive efforts.
Let me know if you need any additional information or summaries from the meeting notes.