Hewlett Packard Enterprise (HPE) is currently investigating claims of a data breach allegedly perpetrated by the IntelBroker threat group. In a recent posting on a dark web forum, IntelBroker asserted that it had successfully infiltrated HPE’s network, acquiring sensitive information that they are now attempting to sell.
According to reports, the hackers managed to exploit vulnerabilities within HPE’s internal systems for a period of two days. During this time, they reportedly accessed private GitHub repositories, application programming interfaces (APIs), and even WePay services, leading to the theft of certificates, source code for products such as Zerto and iLO, Docker builds, and personal data related to deliveries. HPE has stated that they are rigorously examining the situation and have stressed that no customer data has been compromised, maintaining that their operations remain unaffected.
A spokesperson for HPE revealed that the company became aware of the breach claims on January 16. In response, they promptly activated their cybersecurity protocols, disabled related access credentials, and initiated an investigation to ascertain the authenticity of the hackers’ assertions. According to HPE, there are no signs of operational disruption and no evidence that customer information has been compromised in this incident.
IntelBroker has not only targeted HPE but has also been linked to attacks on other significant tech firms. The group, believed to be spearheaded by an individual operating out of Serbia and Russia, has previously claimed responsibility for data breaches involving Apple and Europol as well as other organizations. Notably, HPE experienced similar breach claims by IntelBroker last year but found no substantial evidence supporting those allegations.
This trend of claims by IntelBroker often follows a common pattern: companies are informed through announcements on hacking forums, subsequently investigate the incidents, and typically conclude that the breaches were not serious, asserting that the data taken was of little consequence. Organizations targeted by IntelBroker frequently contest the severity of the incidents, suggesting that claims made on dark web platforms are exaggerated.
In previous breaches attributed to IntelBroker, such as the major incident involving Cisco last October, significant volumes of data were exposed, specifically around 2.9 terabytes. However, Cisco has maintained that the information compromised was not of a confidential or sensitive nature. A similar sentiment was echoed in the response to a breach at Nokia, where the company downplayed the incident, emphasizing that no critical or customer-related data had been leaked.
The tactics and techniques employed in these breaches align with several categories from the MITRE ATT&CK framework. Tactics such as “Initial Access,” where adversaries gain a foothold in a system, and “Persistence,” wherein they establish a firm presence within the network, may have been utilized during these incidents. Additional methods such as “Privilege Escalation” could also have been leveraged to enhance the attackers’ access privileges and facilitate deeper exploitation.
As cybersecurity challenges continue to evolve, organizations must remain vigilant against threats from groups like IntelBroker. Business owners should prioritize strengthening their security postures and ensuring comprehensive incident response strategies are in place. Given the rapid pace of cyber threats, staying informed and proactive is critical to safeguarding sensitive information and maintaining trust in business operations.
