SYMBOLCOMMON_NAMEaka. SYNONYMS

HAFNIUM  (Back to overview)


HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.


Associated Families

There are currently no families associated with this actor.


References
2021-07-20RNZ
@online{rnz:20210720:government:92d39e8, author = {RNZ}, title = {{Government points finger at China over cyber attacks}}, date = {2021-07-20}, url = {https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks}, language = {English}, urldate = {2021-07-22} } Government points finger at China over cyber attacks
HAFNIUM Leviathan
2021-07-19Minister for Foreign Affairs of AustraliaKaren Andrews, Peter Dutton
@online{andrews:20210719:australia:8ca5b16, author = {Karen Andrews and Peter Dutton}, title = {{Australia joins international partners in attribution of malicious cyber activity to China}}, date = {2021-07-19}, organization = {Minister for Foreign Affairs of Australia}, url = {https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china}, language = {English}, urldate = {2021-07-22} } Australia joins international partners in attribution of malicious cyber activity to China
APT31 HAFNIUM Leviathan
2021-07-19GOV.UKNCSC UK, Dominic Raab
@online{uk:20210719:uk:9674820, author = {NCSC UK and Dominic Raab}, title = {{UK and allies hold Chinese state responsible for a pervasive pattern of hacking}}, date = {2021-07-19}, organization = {GOV.UK}, url = {https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking}, language = {English}, urldate = {2021-07-22} } UK and allies hold Chinese state responsible for a pervasive pattern of hacking
APT31 HAFNIUM Leviathan
2021-03-14DAILY BEASTMatthew Brazil
@online{brazil:20210314:how:5fcb8be, author = {Matthew Brazil}, title = {{How China’s Devastating Microsoft Hack Puts Us All at Risk}}, date = {2021-03-14}, organization = {DAILY BEAST}, url = {https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk}, language = {English}, urldate = {2021-03-31} } How China’s Devastating Microsoft Hack Puts Us All at Risk
HAFNIUM
2021-03-09MicrosoftMSRC Team
@online{team:20210309:microsoft:3e03bbf, author = {MSRC Team}, title = {{Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021}}, date = {2021-03-09}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021}, language = {English}, urldate = {2021-03-10} } Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021
HAFNIUM
2021-03-06Nextron SystemsTHOR Lite
@online{lite:20210306:scan:f7b0dbe, author = {THOR Lite}, title = {{Scan for HAFNIUM Exploitation Evidence with THOR Lite}}, date = {2021-03-06}, organization = {Nextron Systems}, url = {https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite}, language = {English}, urldate = {2021-03-10} } Scan for HAFNIUM Exploitation Evidence with THOR Lite
HAFNIUM
2021-03-06Github (microsoft)Microsoft
@online{microsoft:20210306:security:7dca242, author = {Microsoft}, title = {{Security scripts}}, date = {2021-03-06}, organization = {Github (microsoft)}, url = {https://github.com/microsoft/CSS-Exchange/tree/main/Security}, language = {English}, urldate = {2021-03-10} } Security scripts
HAFNIUM
2021-03-05Pastebin (MALWAREQUINN)MalwareQuinn
@online{malwarequinn:20210305:hafnium:b517725, author = {MalwareQuinn}, title = {{Hafnium Exchange Vuln Detection - KQL}}, date = {2021-03-05}, organization = {Pastebin (MALWAREQUINN)}, url = {https://pastebin.com/J4L3r2RS}, language = {English}, urldate = {2021-03-10} } Hafnium Exchange Vuln Detection - KQL
HAFNIUM
2021-03-05MicrosoftLouie Mayor
@online{mayor:20210305:exchange:632ca07, author = {Louie Mayor}, title = {{Exchange Server IIS dropping web shells and other artifacts}}, date = {2021-03-05}, organization = {Microsoft}, url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md}, language = {English}, urldate = {2021-03-10} } Exchange Server IIS dropping web shells and other artifacts
HAFNIUM
2021-03-05Github (cert-lv)Andrew Konst
@online{konst:20210305:detect:a6abfa6, author = {Andrew Konst}, title = {{Detect webshells dropped on Microsoft Exchange servers after 0day compromises}}, date = {2021-03-05}, organization = {Github (cert-lv)}, url = {https://github.com/cert-lv/exchange_webshell_detection}, language = {English}, urldate = {2021-03-10} } Detect webshells dropped on Microsoft Exchange servers after 0day compromises
HAFNIUM
2021-03-04ElasticDevon Kerr
@online{kerr:20210304:detection:eb05792, author = {Devon Kerr}, title = {{Detection and Response for HAFNIUM Activity}}, date = {2021-03-04}, organization = {Elastic}, url = {https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289}, language = {English}, urldate = {2021-03-10} } Detection and Response for HAFNIUM Activity
HAFNIUM
2021-03-04CrowdStrikeThe Falcon Complete Team
@online{team:20210304:falcon:6170749, author = {The Falcon Complete Team}, title = {{Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits}}, date = {2021-03-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits}, language = {English}, urldate = {2021-03-10} } Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits
CHINACHOPPER HAFNIUM
2021-03-04FireEyeMatt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace
@online{bromiley:20210304:detection:3b8c16f, author = {Matt Bromiley and Chris DiGiamo and Andrew Thompson and Robert Wallace}, title = {{Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities}}, date = {2021-03-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html}, language = {English}, urldate = {2021-03-10} } Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
CHINACHOPPER HAFNIUM
2021-03-03Huntress LabsHuntress Labs
@online{labs:20210303:mass:a0ef74d, author = {Huntress Labs}, title = {{Mass exploitation of on-prem Exchange servers :(}}, date = {2021-03-03}, organization = {Huntress Labs}, url = {https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers}, language = {English}, urldate = {2021-03-10} } Mass exploitation of on-prem Exchange servers :(
CHINACHOPPER HAFNIUM
2021-03-03splunkRyan Kovar
@online{kovar:20210303:detecting:f8ba84c, author = {Ryan Kovar}, title = {{Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk}}, date = {2021-03-03}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html}, language = {English}, urldate = {2021-03-10} } Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk
HAFNIUM
2021-03-03Huntress LabsJohn Hammond
@online{hammond:20210303:rapid:7c97ee5, author = {John Hammond}, title = {{Rapid Response: Mass Exploitation of On-Prem Exchange Servers}}, date = {2021-03-03}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers}, language = {English}, urldate = {2021-03-10} } Rapid Response: Mass Exploitation of On-Prem Exchange Servers
CHINACHOPPER HAFNIUM
2021-03-03CISACISA
@online{cisa:20210303:alert:c05160a, author = {CISA}, title = {{Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities}}, date = {2021-03-03}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-062a}, language = {English}, urldate = {2021-03-10} } Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities
HAFNIUM
2021-03-02Rapid7 LabsAndrew Christian
@online{christian:20210302:rapid7s:b676aa4, author = {Andrew Christian}, title = {{Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day}}, date = {2021-03-02}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day}, language = {English}, urldate = {2021-03-10} } Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day
CHINACHOPPER HAFNIUM
2021-03-02VolexityJosh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
@online{grunzweig:20210302:operation:44c264f, author = {Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities}}, date = {2021-03-02}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/}, language = {English}, urldate = {2021-03-07} } Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
CHINACHOPPER HAFNIUM
2021-03-02MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security
@online{mstic:20210302:hafnium:c7d8588, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team and Microsoft 365 Security}, title = {{HAFNIUM targeting Exchange Servers with 0-day exploits}}, date = {2021-03-02}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers}, language = {English}, urldate = {2021-03-07} } HAFNIUM targeting Exchange Servers with 0-day exploits
CHINACHOPPER HAFNIUM
2021-03-02MicrosoftMSRC Team
@online{team:20210302:multiple:d62f8de, author = {MSRC Team}, title = {{Multiple Security Updates Released for Exchange Server – updated March 8, 2021}}, date = {2021-03-02}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server}, language = {English}, urldate = {2021-03-10} } Multiple Security Updates Released for Exchange Server – updated March 8, 2021
HAFNIUM
2021-03-02Twitter (@ESETresearch)ESET Research
@online{research:20210302:exchange:4473faa, author = {ESET Research}, title = {{Tweet on Exchange RCE}}, date = {2021-03-02}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1366862946488451088}, language = {English}, urldate = {2021-03-10} } Tweet on Exchange RCE
CHINACHOPPER HAFNIUM

Credits: MISP Project