Hewlett Packard Enterprise (HPE) is informing employees that their personal data was stolen in a May 2023 cyberattack orchestrated by Russian state-sponsored hackers. The attack, which targeted HPE’s Office 365 email system, led to the unauthorized access of sensitive employee information, including Social Security numbers, credit card details, and driver’s licenses.
According to filings with the Attorney General offices in New Hampshire and Massachusetts, HPE began sending breach notification letters last month to at least 16 affected individuals. The company confirmed that it had started notifying victims on January 29, 2025, as part of its legal obligations.
Russian Hackers Behind the Attack
The cyberattack has been linked to Cozy Bear, also known as Midnight Blizzard, APT29, and Nobelium. This hacking group is believed to be part of Russia’s Foreign Intelligence Service (SVR) and has previously executed high-profile breaches, including the 2020 SolarWinds supply chain attack.
HPE initially disclosed the breach in an SEC filing on January 29, 2024, revealing that it was first notified of the intrusion on December 12, 2024. The company reported that hackers had infiltrated its cloud-based Office 365 email system in May 2023, using a compromised account to access and exfiltrate data.
“We determined that this nation-state actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions. We believe the nation-state actor is Midnight Blizzard, also known as Cozy Bear,” HPE told BleepingComputer at the time.
Extent of the Breach Remains Unclear
Despite confirming the attack, HPE has not provided exact figures on the number of employees affected. A company spokesperson described the breach as involving “a limited group of HPE team member mailboxes” and insisted that only the information contained in those mailboxes was compromised.
HPE’s forensic investigation has determined that sensitive personal information may have been accessed, prompting legal and regulatory notifications. While the company has taken steps to mitigate risks, the full scale of the breach remains uncertain.
A single compromised account led to a cascading security failure. Hackers had unrestricted access to sensitive information for months before HPE was even aware of the breach.
Cozy Bear’s Continued Cyber Espionage
Cozy Bear has long been associated with state-backed cyber espionage efforts targeting Western corporations and government agencies. Their tactics often include spear-phishing campaigns, password spraying, and exploiting vulnerabilities in cloud-based services.
- In November 2024, the same group executed a password spray attack to breach Microsoft’s network, gaining access to corporate email accounts and source code repositories.
- Cozy Bear’s activities extend beyond corporate espionage, frequently targeting government agencies, security firms, and international organizations.
- The group’s involvement in the SolarWinds attack demonstrated its ability to compromise supply chains and infiltrate critical infrastructure.
This latest breach is yet another example of the ongoing cyber threat posed by Russian-backed hackers against U.S. businesses.
A Second Breach in HPE’s SharePoint Server
The Office 365 attack may not have been an isolated incident. In its SEC filing, HPE disclosed that the breach could be linked to another unauthorized access event in May 2023, where threat actors infiltrated its SharePoint server and stole files.
Microsoft also warned of Cozy Bear’s activities just days before HPE’s disclosure, noting that the hackers had successfully stolen data from corporate email accounts and source code repositories. The timing suggests that multiple organizations may have been targeted simultaneously.
HPE’s History of Cybersecurity Incidents
This isn’t the first time HPE has been in the crosshairs of cybercriminals. The company has faced multiple security breaches over the years:
| Year | Incident | Details |
|---|---|---|
| 2018 | Chinese Hackers | Attackers infiltrated HPE’s network and used the access to target its customers. |
| 2021 | Aruba Central Breach | Threat actors gained unauthorized access to data repositories, exposing information about monitored devices. |
| 2024-2025 | IntelBroker Claims | A hacker known as IntelBroker claimed to have stolen HPE credentials, source code, and sensitive information. |
While HPE has invested in strengthening its security measures, the recurrence of breaches raises concerns about its ability to protect sensitive data from persistent cyber threats.
Ongoing Investigations and Response
HPE has stated that it is continuing its investigation into the cyberattack and will issue additional notifications if required. The company has also pledged to work closely with law enforcement agencies to track the perpetrators and prevent further attacks.
With cybersecurity threats becoming more sophisticated, organizations are facing increasing pressure to fortify their defenses. As state-backed hackers ramp up their activities, companies like HPE remain prime targets for espionage and data theft.
