The HPE data breach is currently under scrutiny by Hewlett Packard Enterprise as they delve into claims of a possible incursion, with a supposed threat actor allegedly offering stolen HPE credentials for sale on a cybercrime forum. Despite the assertions surrounding the data breach, HPE has informed that their investigations have yet to confirm any security compromise, and no demand for ransom has been made in connection with the incident.
Everything you need to know about HPE data breach
Adam R. Bauer, HPE’s Sr. Director for Global Communications, communicated to BleepingComputer:
“We are aware of the claims and are investigating their veracity. At this time we have not found evidence of an intrusion, nor any impact to HPE products or services. There has not been an extortion attempt.”
The alleged seller, known by the moniker IntelBroker, provided a glimpse into the claimed breach by releasing screenshots that depict what they assert are HPE credentials. However, the origin and technique employed to acquire such data remain undisclosed.
The individual behind the alleged HPE data breach has proclaimed on a notorious hacking forum:
“Today, I am selling the data I have taken from Hewlett Packard Enterprise. More specifically, the data includes: CI/CD access , System logs , Config Files , Access Tokens , HPE StoreOnce Files (Serial numbers warrant etc) & Access passwords. (Email services are also included).”
IntelBroker, the alias used by the threat actor in question, has previously gained notoriety for the significant breach of DC Health Link. This previous infringement resulted in the exposure of personal details pertaining to members and staff of the U.S. House of Representatives, subsequently triggering a congressional hearing.
This entity has also been associated with other cybersecurity infractions, including an intrusion into the Weee! grocery delivery service and an alleged compromise of confidential data from General Electric Aviation, further underscoring the severity of the HPE data breach claims.
Russian hackers breach HPE corporate email accounts
The HPE data breach investigation has been intensified following Hewlett Packard Enterprise’s recent disclosure that, in May 2023, their Microsoft Office 365 email system fell victim to a cyber incursion. HPE attributes this breach to what they suspect are Russian hackers affiliated with the APT29 group, which is connected to the SVR, Russia’s Foreign Intelligence Service.
HPE acknowledged that these Russian hackers were able to exfiltrate SharePoint files and pertinent data from its cybersecurity and various other departments. The intrusion extended to HPE’s cloud infrastructure, with unauthorized access persisting until December. This was when HPE was notified of another breach within its cloud-based email system.
“On December 12, 2023, HPE was notified that a suspected nation-state actor had gained unauthorized access to the company’s Office 365 email environment. HPE immediately activated cyber response protocols to begin an investigation, remediate the incident, and eradicate the activity,” HPE stated.
“Through that investigation, which remains ongoing, we determined that this nation-state actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”
This revelation from HPE about the Russian-linked HPE data breach came just days after Microsoft reported a similar incident. In Microsoft’s case, APT29 managed to compromise email accounts of its high-level executives and employees, particularly those within the cybersecurity and legal sectors.
Microsoft’s investigation found that the hackers accessed these corporate email accounts by exploiting a misconfigured test tenant account through a “password spraying” attack, wherein they guessed weak passwords until they broke through the account’s defenses.
In a historical context, HPE also suffered a security breach in 2018, which was linked to APT10, a group of Chinese hackers. This group also infiltrated IBM’s networks and utilized that breach to target HPE’s customers’ devices.
More recently, in 2021, HPE announced that its Aruba Central network monitoring platform’s data repositories were compromised. This breach allowed attackers to gain insight into information about the devices being monitored and their geographical locations.
In an update concerning the current HPE data breach, Bauer told that the data now circulating for sale was sourced from a testing environment, which may imply a potentially lower level of sensitivity compared to operational or production environments.
“Based on our investigation so far, the data at issue appears to be related to information that was contained in a test environment. There is no indication these claims relate to any compromise of HPE production environments or customer information. These are local credentials used in an isolated test environment and are not applicable to the production environment. In addition, these credentials alone would not allow access to production environments as we have multi-layered security measures in place. Furthermore, we don’t have any indication that these claims relate to any compromise of customer information. That said, we have taken additional measures to harden our environment further in relation to the credentials at issue.”
Featured image credit: HPE