The disclosure follows a similar report Friday from Microsoft, which said in an SEC filing that it had lost senior executive emails as well as those of security professionals. It said the hackers appeared to be looking for information on what Microsoft knew about them.
HPE did not say how the attack had been uncovered, but said intruders first entered its systems in May 2023, taking the contents of a “small percentage” of overall Office 365 mailboxes belonging primarily to its cybersecurity, marketing and other departments.
Both HPE and Microsoft have large numbers of government and defense customers, and both blamed a group associated with Russia’s SVR foreign intelligence service for the intrusions. The group was behind the massive 2020 breach that began with altered software at SolarWinds and that went on to get inside the computer systems of SolarWinds customers at nine federal agencies.
“HPE is a huge cloud service provider, plus with the recent announcement of the Juniper acquisition a massive networking player,” said Chris Krebs, chief intelligence officer at security company SentinelOne and the head of cybersecurity at the Department of Homeland Security in the last administration. HPE announced Jan. 9 that it would spend $14 billion to acquire Juniper Networks, which designs computer networking equipment.
“It’s almost like a portfolio play by the SVR to see who’s on to them and maybe look for SolarWinds-like opportunities to compromise various aspects of the supply chain,” Krebs said.
The tech companies’ SEC filings come after tightened rules for when hacking incident must be disclosed. Both companies said that they had not determined whether the breach and fallout would have a “material” impact on their finances, suggesting that they were filing out of an abundance of caution.
The companies said they were working with law enforcement and continuing to investigate.
U.S. intelligence officials did not immediately respond to a request for comment.