Written by:
MJ Kaufmann Advanced Persistent Threats (APTs) stand out for their unique danger and sophistication; unlike conventional cyber threats, APTs are often state-sponsored, implying higher levels of resource investment and strategic planning. A recent alarming example is the Midnight Blizzard campaign, targeting giants like Microsoft and Hewlett Packard Enterprises (HPE). Because of the advanced skill sets and techniques exhibited by APTs, victims of such attacks are highly likely to experience significant losses. According to a document by Kaspersky, victims have a 68% chance of experiencing data loss and 78% of downtime.
This blog aims to delve into the recent Midnight Blizzard attacks on major industry players, examining the specific case of HPE’s breach and discussing strategies to mitigate the impact of future APT incidents.
Midnight Blizzard Targets HPE
Midnight Blizzard, also known as APT29, is a long-running APT with a history going back to 2014. They started with more minor incidents, but their tactics and techniques have improved. In 2020, Midnight Blizzard conducted a major supply chain attack against SolarWinds, allowing numerous related breaches against significant organizations and government entities.
The group is also known to have established connections to Russian intelligence. This is evident from their sophisticated operations, which reflect a well-resourced and strategically driven agenda, focusing on impactful cyber espionage and data exfiltration from high-profile targets.
The Breach
The Midnight Blizzard attack on HPE in May 2023 is a prime example of the complexities of APT attacks. The attack started with a targeted spear phishing campaign, where victims were tricked into clicking on malicious links disguised as legitimate documents. These documents launched PowerShell scripts, a core attack vector for this group, opening up channels for unauthorized access and exfiltration of data from email accounts belonging to individuals across the company, including those in cybersecurity and business teams.
Unlike traditional attackers that often are detected within days of the attack, this APT was extremely stealthy, operating undetected until December of 2023, when HPE was notified by the SEC. Despite assertions that it has not had a material impact on operations, there will likely be more discoveries and disclosures by HPE in the future. One of the core tactics of an APT is to create numerous backdoors and future access points to allow them access after the initial breach is discovered.
Targeting Collaboration
Rather than just being confined to email, this attack branched into the SharePoint collaboration tool. Organizations frequently use this tool to share documents and collaboratively work on them. As SharePoint is often considered a secure repository for data, it is not uncommon for sensitive data to reside there, covering everything from business plans to customer data for analytics. Based on Midnight Blizzard’s history of espionage, there is a strong possibility that this data is a potential attack target.
Collaborate Safely
collaborative tools like SharePoint have become indispensable enablers, facilitating seamless interaction and information sharing across organizations. However, the integration of these platforms also brings the risk of rapidly spreading cyber threats within collaborative environments. Addressing this challenge doesn’t imply stifling collaboration or complicating the user experience. Rather, the focus should be on implementing robust security solutions that offer effective protection without adding unnecessary user friction or demanding excessive management overhead. By striking this balance, companies can safeguard their collaborative spaces while maintaining the fluidity and efficiency that these tools are designed to provide.
Understanding Where Data Is
Organizations must first thoroughly understand the risks associated with collaborative tools to effectively balance the need for collaboration with cybersecurity. A key challenge is the lack of comprehensive insight into the nature and flow of data within these spaces. Often, sensitive information finds its way into collaborative platforms like SharePoint, potentially leading to unintended access or exposure. This risk is amplified because such data, once stored in these collaborative environments, may be inadvertently shared with individuals or entities who should not have access to it.
Data Security Posture Management (DSPM) solutions are one way organizations can control collaborative spaces without inhibiting usage. By delving deep into these environments, DSPM tools effectively identify sensitive data that might remain unnoticed. This granular visibility helps organizations understand the full scope of data that flows through and is stored in collaborative tools. With this knowledge, organizations can implement targeted and appropriate security controls, ensuring that sensitive information is adequately protected while maintaining the fluidity and accessibility that makes these collaborative tools so valuable.
Protecting the Data
Understanding what resides in spaces such as SharePoint builds the foundation of data security, but the goal of collaboration is the ability of users to continuously use it. Data Detection and Response (DDR) helps manage the more fluid utilization of data in these spaces. DDR continuously monitors data utilization in the Cloud and collaborative platforms, watching for high-risk scenarios such as transferring sensitive data. It generates near real-time alerts and blocks access due to data sharing outside of roles and policies, helping prevent accidental disclosures and data exfiltration from cyberattacks and malware.
Sotero Defends Data
Enhancing the defense of collaborative platforms like SharePoint begins with fortifying cloud data security at its core. Sotero, a front-runner in data security, brings a comprehensive solution of DSPM and DDR to the table. Combined with an offering of advanced encryption, robust access control, sophisticated anomaly detection, and automated incident response, Sotero empowers organizations to fortify their SharePoint environments against cyber threats. Its seamless integration with existing infrastructure allows for swift adoption, ensuring that data within collaborative platforms is secured promptly and effectively without disrupting the collaborative workflow essential to business operations.
Schedule a demo today to learn more about how Sotero can help defend your collaborative environments.