APT29
Cozy Bear
HPE confirms Russian hackers stole sensitive employee data in May 2023 breach, i...
**Hewlett Packard Enterprise (HPE)** has confirmed that **Russian state-sponsored hackers** have stolen sensitive employee data in a devastating cyberattack. The breach, which targeted the company’s **Office 365** email environment, transpired in **May 2023** and only recently came to light in official filings and breach notification letters sent to affected individuals.
### **HPE Employees Targeted by Cozy Bear Hackers**
The hacking group responsible, **[Cozy Bear](https://www.secureblink.com/cyber-security-news/how-russian-hackers-leveraged-spyware-exploits-from-nso-group-and-intellexa-in-watering-hole-attacks)** (also known as **APT29**, **Midnight Blizzard**, and **Nobelium**), is believed to be linked to Russia’s **Foreign Intelligence Service (SVR)**. This notorious group has previously been involved in **high-profile breaches**, including the infamous **[SolarWinds](https://www.secureblink.com/cyber-security-news/a-second-threat-actor-found-to-attack-solarwinds-system) supply chain attack** in 2020.
The breach is a part of a broader campaign by Cozy Bear, which targeted not just **HPE's email environment**, but also its **SharePoint server** in the same timeframe, further compromising confidential data across multiple systems.
### **Sensitive Data Stolen from Employee Mailboxes**
According to breach notification letters sent to affected employees, personal data such as **driver’s licenses**, **credit card numbers**, and **Social Security numbers** were stolen. At least **16 employees** were notified of the breach, though the full extent of the breach remains unclear. HPE spokespersons confirmed that it was "a limited group of HPE team member mailboxes that were accessed," and stressed that only the data contained in these mailboxes was impacted.
### **Timeline of Events: The HPE Breach**
The breach was first disclosed publicly in an **SEC filing** dated **January 29, 2024**, where **Hewlett Packard Enterprise** revealed that it was notified on **December 12, 2023**, that the **Cozy Bear hackers** had compromised its cloud-based **Office 365 email environment** in May 2023. The hackers exploited a **compromised account**, gaining access to email inboxes of select employees in **cybersecurity**, **go-to-market**, and other critical business sectors.
HPE’s official statement confirmed that the hackers began exfiltrating data in **May 2023** and continued until the discovery of the breach. The company stated that the accessed data was **limited to information contained in the mailboxes** of the affected employees.
### **Connection to Other Major Hacks**
In the **SEC filing**, HPE indicated that this breach may have been linked to a second breach in **May 2023**, where hackers also targeted the company’s **SharePoint server** and stole files. This came on the heels of Microsoft’s **January 2024** announcement that Cozy Bear hackers had infiltrated their network, accessing both **corporate email accounts** and **source code repositories**.
### **HPE’s History of Security Breaches**
This isn’t the first time that **Hewlett Packard Enterprise** has been targeted by cybercriminals. In **2018**, Chinese state-sponsored hackers breached HPE’s network, leading to compromises of its **customer devices**. HPE also reported a significant breach in **2021** when data repositories for its **Aruba Central network** monitoring platform were hacked, exposing sensitive information about monitored devices and their locations.
Additionally, in **February 2024** and **January 2025**, HPE launched investigations into potential **new security breaches** after an actor using the **IntelBroker** handle claimed responsibility for stealing **HPE credentials**, **source code**, and other proprietary information.
### **Breach Notification and Employee Impact**
Hewlett Packard Enterprise began notifying employees whose personal data had been stolen starting in **January 2025**, following legal requirements to inform affected individuals. The breach notification letters state that the stolen data was "subject to unauthorized access," which HPE is continuing to investigate.
In a statement, HPE assured that it was taking steps to strengthen its cybersecurity measures to prevent further attacks. They also emphasized that this breach is being addressed with full compliance to applicable law.
### **What This Means for HPE’s Security Measures**
HPE has long been an attractive target for hackers due to its role in providing enterprise-grade IT solutions across sectors. This breach has raised questions about the strength of the company’s internal security measures and its ability to safeguard employee data. The breach also underscores the growing risk of cyberattacks targeting **state-sponsored groups** who possess advanced tools and techniques to infiltrate even the most secure environments.
In response, HPE is actively working on bolstering its security framework, with a focus on **enhanced encryption**, better **endpoint protection**, and tighter control over **third-party access** to corporate resources.
### **Conclusion: Cybersecurity Challenges for Enterprises**
The HPE breach serves as a stark reminder of the increasing sophistication of cyberattacks targeting major corporations. With **nation-state actors** involved, the risks are far more severe than conventional attacks. The breach highlights the need for all enterprises to continuously update their cybersecurity strategies and adopt **advanced threat detection systems**.
**What can we learn from this breach?** The **importance of multi-layered security**, **immediate incident response**, and **employee data protection** cannot be overstated. In the face of evolving threats, companies like HPE must remain vigilant, and more importantly, transparent, in their efforts to protect sensitive data.
### **Key Takeaways:**
- **Cozy Bear** (APT29), a **Russian state-sponsored hacker group**, breached **Hewlett Packard Enterprise** in **May 2023**, stealing **personal data** from employee mailboxes.
- **16 employees** were notified that **driver’s licenses**, **credit card numbers**, and **Social Security numbers** were among the stolen data.
- The breach is connected to a broader campaign, including a **SharePoint server hack** and a larger **cyberattack** on Microsoft.
- HPE’s cybersecurity vulnerabilities are under scrutiny, with additional investigations ongoing.
- The breach emphasizes the growing threat of **nation-state cyberattacks** and the critical need for companies to enhance their security protocols.
This attack should be a wake-up call for all organizations: **cybersecurity is no longer optional**, it’s a necessity.
---
**#HPEBreach #CozyBear #APT29 #CyberSecurity #DataBreach #RussianHackers #HewlettPackard #TechSecurity #Office365Breach #DataProtection #SecurityAwareness**
