Hewlett Packard Enterprise Confirms Data Breach Linked to Russian State-Sponsored Hackers
Hewlett Packard Enterprise (HPE) has notified a group of employees that their personal information was compromised during a cyberattack in May 2023, which was conducted by attackers affiliated with the Russian government. This breach specifically targeted HPE’s Office 365 email system, resulting in the exposure of sensitive data, including drivers’ licenses, Social Security numbers, and credit card information belonging to at least 16 employees.
In January 2025, HPE began communicating with those affected, as reported to the state Attorney General offices in New Hampshire and Massachusetts. The company’s forensics investigation revealed that unauthorized access to some individuals’ information had indeed occurred, prompting HPE to take immediate action to inform impacted parties.
The attack has been attributed to Cozy Bear, also known as Midnight Blizzard, APT29, and Nobelium, a hacking group with links to the Russian Foreign Intelligence Service (SVR). Known for its involvement in high-profile cyber incidents, Cozy Bear was also implicated in the notorious SolarWinds breach in 2020, among other significant attacks.
On January 29, 2024, HPE disclosed the breach in an SEC filing. The company indicated that it was made aware of the incident by its cybersecurity team on December 12, 2023. Initial investigations confirmed that hackers were able to exfiltrate data from selected employee mailboxes, particularly from departments related to cybersecurity, market strategy, and business operations. An HPE representative stressed that only a limited subset of mailboxes had been accessed, and no other systems had been affected. However, investigations remain ongoing.
In a related development, the Office 365 breach appears to be linked to an earlier incident in May 2023, during which HPE’s SharePoint server was also compromised, resulting in the theft of files. This broader context of continual targeting suggests a concerted effort by Cozy Bear to infiltrate HPE’s infrastructure and access sensitive business information.
Additionally, shortly before HPE’s announcement, Microsoft disclosed that Cozy Bear had also penetrated its corporate email accounts and source code repositories, identifying the initial breach pertaining to a password spray attack that exploited a legacy test account starting back in November 2024.
This incident marks yet another chapter in HPE’s ongoing struggles with cybersecurity. Previous breaches include an attack attributed to Chinese hackers in 2018 that targeted customer devices and a 2021 incident affecting its Aruba Central network monitoring platform, which exposed sensitive device and location data. Moreover, in 2024 and 2025, the company faced allegations from a hacker operating under the name IntelBroker, who claimed to have compromised various credentials and sensitive corporate data.
In response to these ongoing security challenges, HPE is actively cooperating with law enforcement agencies and cybersecurity experts as part of its efforts to mitigate the fallout from this breach. The company has confirmed that all necessary notifications have been dispatched to affected employees.
As cyber threats continue to evolve, this breach serves as a critical reminder for business owners about the importance of robust cybersecurity measures. The tactics used by Cozy Bear align with several MITRE ATT&CK techniques, including initial access and credential dumping, emphasizing the necessity for organizations to strengthen their defenses against such sophisticated adversaries. Understanding these tactics can aid businesses in bolstering their security posture and assess their risk management strategies accordingly.
