Hewlett Packard Enterprise (HPE) has disclosed details about a suspected state-backed Russian hack, where cybercriminals broke into its cloud-based email system and extracted data from cybersecurity personnel and other employees.
HPE believes the hackers were from Cozy Bear, a unit of Russia’s SVR foreign intelligence service. Cozy Bear are classified by the U.S. federal government as an advanced persistent threat APT29.
Just prior to the HPE attack, Cozy Bear has been targeting Microsoft 365 accounts in various attempts to exfiltrate sensitive data, according to Bug Crowd.
The news around HPE’s hack continues to unfold, Ariel Parnes, former Head of the Israeli Intelligence Service Cyber Department, winner of the Israel Defense Prize for tech innovations in the cyber field, and COO and Co-Founder at Mitiga, the cloud and SaaS incident response leader, has explained to Digital Journal just what the implication of the attack are.
Parnes says that such an attack exposes weaknesses with cyber defence systems, and this is something all firms should learn from: “This recent security incident at Hewlett Packard Enterprise underscores the imperative for organizations to prioritize the collection and analysis of security logs.”
In terms of concrete measures, Parnes calls out: “Specifically, through the lens of unified audit logs within the M365 ecosystem, these logs are instrumental in providing insights into user activities and potential malicious actions. The importance of promptly detecting and responding to such incidents is highlighted by the HPE case, where unified audit logs were probably used in revealing unauthorized access to sensitive SharePoint files and manipulations within mailboxes.”
There is something important that all firms should practice: “Retaining these logs over an extended period equips organizations with the ability to retroactively investigate incidents, aiding in identifying the entry point and duration of a threat actor’s presence.”
This ties in with the specifics of the recent incident: “In the face of persistent Business Email Compromise (BEC) threats, the HPE incident and other significant M365 BEC instances, serves as a stark reminder that threat actors can infiltrate systems and operate undetected for an extended duration. Continuous BEC threat hunts, fuelled by the analysis of unified audit logs, empower organizations to proactively search for indicators of compromise, facilitating the discovery and neutralization of potential threats before they escalate.”
