Disclosures about cybersecurity breaches by Microsoft and Hewlett Packard Enterprise (HPE) underscore the influence of two major forces that are reshaping the cybersecurity landscape: the SVR and the SEC - otherwise known as Russia’s Foreign Intelligence Service (the SVR), and the U.S. Securities and Exchange Commission (SEC).
Increasingly sophisticated hacks by state-sponsored groups like the SVR, coupled with tighter disclosure requirements are poised to drive a flurry of legal filings tied to cybersecurity incidents, throwing long-needed sunlight on the struggles of leading corporations to secure their environments, IT assets and sensitive customer data.
And chief information security officers (CISOs) at these firms are also on notice, following the SEC's recent charges against SolarWinds and its CISO, Timothy G. Brown, for fraud and internal control failures, alleging that the company “misled investors about its cybersecurity practices and known risks” in relation to the 2020 SunBurst attack on SolarWinds.
Here's why this new reality should raise the eyebrows of enterprise leaders — CISOs in particular.
[ Join Webinar: The Cyber CFO | CISO Accountability in the New Era of Software Supply Chain Security ]
Pwning 365
First, the hacks. According to statements from Microsoft and HPE, hackers believed to be part of the advanced persistent threat (APT) group Cozy Bear compromised cloud based email accounts used by the two companies in attacks targeting high value email inboxes belonging to cybersecurity and legal experts as well as senior executives at the companies.
In an SEC filing dated Jan 17, Microsoft said that it detected the presence of a “nation-state associated threat actor” on Jan 12, that “gained access to and exfiltrated information from” the employees’ email accounts. The attack is believed to have begun in November, 2023. Microsoft said it is still investigating the extent of the incident and analyzing the information stolen, while it works with law enforcement.
A detailed analysis of the incident published by the company’s Threat Intelligence Team on Thursday described a sophisticated attack that began with the compromise of a “legacy, non-product test tenant account” using carefully calibrated “password spray attacks.” Password spraying is a process by which malicious actors use automated means to try to guess their way into protected accounts using lists of common passwords.
Once inside, the intruders gained full access to Office 365 Exchange Online, facilitating the compromise of the users' email inboxes. "Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment,” Microsoft wrote.
Details of the attack on HPE have been less forthcoming. It's SEC statement, filed a couple days after Microsoft’s on January 19th, simply states that the company was notified on December 12, 2023, that a “suspected nation-state actor, described as the threat actor Midnight Blizzard (another name for Cozy Bear) gained unauthorized access to HPE’s “cloud-based email environment” — presumably being Microsoft Office 365.
HPE also said the latest incident is likely part of an even larger hack dating to June 2023, involving “unauthorized access to and exfiltration of a limited number of SharePoint files” as early as May 2023. HPE said that it investigated that breach at the time, found it was not a major threat. “Undertaking such actions, we determined that such activity did not materially impact the company,” HPE said.
The SEC and 'materiality': The clock is ticking
How is it that a successful attack in June on a small number of SharePoint files wasn’t deemed “material” to HPE, but a related attack a few months later on a small number of Microsoft 365 email accounts was? Credit new rules adopted by the SEC in July, some of which went into effect in December.
Those changes saw the SEC redefine requirements for what public companies must disclose with regard to cybersecurity incidents and - even more important - when they must disclose them. Specifically, the SEC’s final rule requires public companies to disclose “the occurrence of a material cybersecurity incident and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations.”
As to when an incident must be disclosed, the new SEC guidelines state that public companies must provide “the required cybersecurity incident disclosure within four business days after the company determines the incident to be material” — an internal inquiry that must take place “without unreasonable delay.”
The notion of “materiality” is a bit squishy, but broadly defines any information that “a reasonable person would consider important when making an investment decision,” or information that would significantly affect what the SEC describes as the “total mix” of existing public information available about a company. Any doubts about whether information is material “should be resolved in the favor of the investor,” the SEC states.
The new SEC guidelines clearly influenced the disclosures by Microsoft and HP in this incident. Microsoft, for example, indicated in its SEC filing that it didn’t believe the event was “material” to the company’s operations, but “the Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
HPE, also, said in its filing that “as of the date of this filing, the incident has not had a material impact on the Company’s operations, and the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”However, the four day disclosure requirement wouldn’t allow the company to delay disclosure for the days, weeks, months or longer needed to do a comprehensive impact assessment (assuming such a thing is even possible).
So what has changed? The attack on SolarWinds
So why disclose incidents that are “non material”? The attack on SolarWinds. The recent SEC case against that company and its CISO. The complaint alleges that SolarWinds and Brown “defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.”
In its filings with the SEC during this period, the SEC stated, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices, as well as the increasingly elevated risks the company faced at the same time. The group behind the attack on SolarWinds? You guessed it: Cozy Bear.
In other words, for both Microsoft and HPE, a first take assessment of the most recent incidents may suggest that the operations of those massive, wealthy firms are not materially impacted. However, the SVR’s track record for rooting itself deep inside enterprises and finding novel ways to undermine both their security and those of their customers can’t be taken lightly. That, coupled with the SEC’s tighter breach disclosure requirements and the specter of both corporate and individual fraud charges tips the scales in favor of disclosure, shedding much needed daylight on incidents that were regularly shrouded in secrecy.
As we all know, sunlight is a disinfectant. The long term effects of that on the overall security of our technology ecosystem should see some benefit.
More disclosures to come?
The story probably won’t end here. Writing for The Washington Post, Joseph Menn reported that sources inside and outside of the government put the number of affected companies at “more than 10” and “perhaps far more.”
The Cozy Bear attacks come amid heightened offensive hacking activity linked to state-sponsored hacking groups. A ReversingLabs researcher who has worked on incidents involving Russian state actors, and prefers to remain anonymous, highlighted the timing of the hacks.
“This kind of espionage activity is to be expected in times of unrest. Threat actors seek to gain access to privileged accounts with access to sensitive code or information to get the best payout for their efforts.”
Looking further down the road: A threat actor that was able to successfully compromise HPE’s software supply chain, as happened in the attack on Solarwinds, could potentially gain the ability to push malware directly to users of HP’Es many products, the ReversingLabs researcher said.
Article Link: HPE, Microsoft breach disclosures mark new era of CISO accountability