HAFNIUM
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.[1][2]
Associated Group Descriptions
| Name | Description |
|---|---|
| Operation Exchange Marauder |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .003 | Acquire Infrastructure: Virtual Private Server |
HAFNIUM has operated from leased virtual private servers (VPS) in the United States.[1] |
| .006 | Acquire Infrastructure: Web Services |
HAFNIUM has acquired web services for use in C2 and exfiltration.[1] |
||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
HAFNIUM has used open-source C2 frameworks, including Covenant.[1] |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.[1][2] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
HAFNIUM has used the Exchange Power Shell module |
| Enterprise | T1136 | .002 | Create Account: Domain Account |
HAFNIUM has created and granted privileges to domain accounts.[2] |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
| Enterprise | T1114 | .002 | Email Collection: Remote Email Collection | |
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
HAFNIUM has exfiltrated data to file sharing sites, including MEGA.[1] |
| Enterprise | T1203 | Exploitation for Client Execution |
HAFNIUM has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware.[1][2][3] |
|
| Enterprise | T1592 | .004 | Gather Victim Host Information: Client Configurations |
HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.[1] |
| Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
HAFNIUM has collected e-mail addresses for users they intended to target.[2] |
| Enterprise | T1590 | Gather Victim Network Information |
HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim's environment.[2] |
|
| .005 | IP Addresses |
HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.[2] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.[1] |
|
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
HAFNIUM has used |
| .003 | OS Credential Dumping: NTDS |
HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).[2] |
||
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.[1][2][3] |
| Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 | |
| Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.[3] |