Disclosures about cybersecurity breaches by Microsoft and Hewlett Packard Enterprise (HPE) underscore the influence of two entities that are reshaping the cybersecurity landscape: the SVR and the SEC: Russia’s Foreign Intelligence Service and the U.S. Securities and Exchange Commission.
Increasingly sophisticated hacks by state-sponsored groups such as the SVR, coupled with tighter disclosure requirements, are poised to drive a flurry of legal filings tied to cybersecurity incidents, throwing long-needed sunlight on the struggles of leading corporations to secure their environments, IT assets, and sensitive customer data.
And those firms' chief information security officers (CISOs) are also on notice, following the SEC's recent charges against SolarWinds and its CISO, Timothy G. Brown, for fraud and internal control failures, alleging that the company “misled investors about its cybersecurity practices and known risks” in relation to the 2020 SunBurst attack on SolarWinds.
Here's why this new reality should raise the eyebrows of enterprise leaders — and of CISOs in particular.
[ See Saša Zdjelar's post: CISO accountability in the era of software supply chain | Join Webinar: The Cyber CFO | CISOs and the New Era ]
First, the hacks. According to statements from Microsoft and HPE, hackers believed to be part of the advanced persistent threat (APT) group Cozy Bear compromised cloud-based email accounts used by the two companies in attacks targeting high-value email inboxes belonging to cybersecurity and legal experts at the companies, as well as senior executives.
In an SEC filing dated January 17, Microsoft said that it detected the presence of a “nation-state associated threat actor” on Jan 12, that “gained access to and exfiltrated information from” the employees’ email accounts. The attack is believed to have begun in November 2023. Microsoft said it is still investigating the extent of the incident and analyzing the information stolen while it works with law enforcement.
A detailed analysis of the incident published on Thursday by the company’s Threat Intelligence Team described a sophisticated attack that began with the compromise of a “legacy, non-product test tenant account” using carefully calibrated “password spray attacks.” Password spraying is a process by which malicious actors use automated means to try to guess their way into protected accounts using lists of common passwords.
Once inside, the intruders gained full access to Office 365 Exchange Online, facilitating the compromise of the users' email inboxes. "Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment,” Microsoft wrote.
Fewer details are known about the attack on HPE. The company's SEC statement, filed a couple of days after Microsoft’s, on January 19, simply states that the company was notified on December 12, 2023, that a “suspected nation-state actor, described as the threat actor Midnight Blizzard (another name for Cozy Bear) gained unauthorized access to HPE’s “cloud-based email environment” — presumably being Microsoft Office 365.
HPE also said the latest incident is likely part of an even larger hack dating to June 2023, involving “unauthorized access to and exfiltration of a limited number of SharePoint files” as early as May 2023. HPE said that it investigated that breach at the time but found that it was not a major threat. “Undertaking such actions, we determined that such activity did not materially impact the company,” HPE said.
The SEC and 'materiality': The clock is ticking
How is it that a successful attack in June on a small number of SharePoint files wasn’t deemed “material” to HPE, but a related attack a few months later on a small number of Microsoft 365 email accounts was? Credit new rules adopted by the SEC in July, some of which went into effect in December.
Those changes saw the SEC redefine requirements for what public companies must disclose with regard to cybersecurity incidents and — even more important — when they must disclose them. Specifically, the SEC’s final rule requires public companies to disclose “the occurrence of a material cybersecurity incident and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations.”
As to when an incident must be disclosed, the new SEC guidelines state that public companies must provide “the required cybersecurity incident disclosure within four business days after the company determines the incident to be material” — an internal inquiry that must take place “without unreasonable delay.”
The notion of “materiality” is a bit squishy, but it broadly defines any information that “a reasonable person would consider important when making an investment decision,” or information that would significantly affect what the SEC describes as the “total mix” of existing public information available about a company. Any doubts about whether information is material “should be resolved in the favor of the investor,” the SEC states.
The new SEC guidelines clearly influenced the disclosures by Microsoft and HPE in this incident. Microsoft, for example, indicated in its SEC filing that it didn’t believe the event was “material” to the company’s operations, but “the Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
HPE said in its filing that “as of the date of this filing, the incident has not had a material impact on the Company’s operations, and the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
So what has changed? The attack on SolarWinds
So why disclose incidents that are “non material”? Simple: the attack on SolarWinds. The recent SEC case against that company and its CISO Brown alleges that SolarWinds and Brown “defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.”
In its filings with the commission during this period, the SEC stated, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices, as well as the increasingly elevated risks the company faced at the same time. The group behind the attack on SolarWinds? You guessed it: Cozy Bear.
In other words, for both Microsoft and HPE, a first-take assessment of the most recent incidents may suggest that the operations of those massive, wealthy firms are not materially impacted. However, the SVR’s track record for rooting itself deep inside enterprises and finding novel ways to undermine the security of both them and their customers can’t be taken lightly. That recognition, coupled with the SEC’s tighter breach disclosure requirements and the specter of both corporate and individual fraud charges, tips the scales in favor of disclosure, shedding much needed daylight on incidents that were regularly shrouded in secrecy.
As we all know, sunlight is a disinfectant. The long-term effects of that on the overall security of our technology ecosystem should see some benefit.
More disclosures to come?
The story probably won’t end here. Writing for The Washington Post, Joseph Menn reported that sources inside and outside of the government put the number of affected companies at “more than 10” and “perhaps far more.”
The Cozy Bear attacks come amid heightened offensive hacking activity linked to state-sponsored hacking groups. A ReversingLabs researcher familiar with the work of Russian state actors noted the timing of the hacks:
“This kind of espionage activity is to be expected in times of unrest. Threat actors seek to gain access to privileged accounts with access to sensitive code or information to get the best payout for their efforts.”
Looking further down the road: A threat actor that was able to successfully compromise either Microsoft or HPE’s software supply chain, as happened in the attack on SolarWinds, could potentially gain the ability to push malware directly to the users of those companies' many products, the ReversingLabs researcher said.
- Update your understanding: Buyer's Guide for Software Supply Chain Security
- Join the Webinar: Why you need to upgrade your AppSec for the new era
- Get the report and take action: The State of Supply Chain Security 2024
- Join the discussion: State of Software Supply Chain Security Webinar
- See Gartner's guidance on managing software supply chain risk