1. Home
  2. Groups
  3. HAFNIUM

HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.[1][2]

ID: G0125
Associated Groups: Operation Exchange Marauder, Silk Typhoon
Contributors: Daniyal Naeem, BT Security; Matt Brenton, Zurich Insurance Group; Mayuresh Dani, Qualys; Harshal Tupsamudre, Qualys; Vinayak Wadhwa, SAFE Security
Version: 2.0
Created: 03 March 2021
Last Modified: 08 January 2024

Associated Group Descriptions

Name Description
Operation Exchange Marauder

[2]
Silk Typhoon

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

HAFNIUM has collected data and files from a compromised machine.[4]
Enterprise T1136 .002 创建账户: Domain Account

HAFNIUM has created domain accounts.[2]
Enterprise T1190 利用公开应用程序漏洞

HAFNIUM has exploited CVE-2021-44228 in Log4j and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server.[1][2][5][6][7]

Enterprise T1059 .001 命令与脚本解释器: PowerShell

HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.[1][2]
.003 命令与脚本解释器: Windows Command Shell

HAFNIUM has used cmd.exe to execute commands on the victim's machine.[4]
Enterprise T1071 .001 应用层协议: Web Protocols

HAFNIUM has used open-source C2 frameworks, including Covenant.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.[1][2]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

HAFNIUM has used procdump to dump the LSASS process memory.[1][2][4]
.003 操作系统凭证转储: NTDS

HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).[2]
Enterprise T1592 .004 收集受害者主机信息: Client Configurations

HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.[1]
Enterprise T1590 收集受害者网络信息

HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim's environment.[2]
.005 IP Addresses

HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.[2]
Enterprise T1589 .002 收集受害者身份信息: Email Addresses

HAFNIUM has collected e-mail addresses for users they intended to target.[2]
Enterprise T1132 .001 数据编码: Standard Encoding

HAFNIUM has used ASCII encoding for C2 traffic.[1]
Enterprise T1083 文件和目录发现

HAFNIUM has searched file contents on a compromised host.[4]
Enterprise T1078 .003 有效账户: Local Accounts

HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.[5]
Enterprise T1505 .003 服务器软件组件: Web Shell

HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.[1][2][5][6][4]

Enterprise T1114 .002 电子邮件收集: Remote Email Collection

HAFNIUM has used web shells to export mailbox data.[1][2]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

HAFNIUM has used rundll32 to load malicious DLLs.[2]
Enterprise T1033 系统所有者/用户发现

HAFNIUM has used whoami to gather user information.[4]
Enterprise T1016 系统网络配置发现

HAFNIUM has collected IP information via IPInfo.[4]
.001 Internet Connection Discovery

HAFNIUM has checked for network connectivity from a compromised host using ping, including attempts to contact google[.]com.[4]
Enterprise T1583 .003 获取基础设施: Virtual Private Server

HAFNIUM has operated from leased virtual private servers (VPS) in the United States.[1]
.006 获取基础设施: Web Services

HAFNIUM has acquired web services for use in C2 and exfiltration.[1]
Enterprise T1098 账号操控

HAFNIUM has granted privileges to domain accounts.[2]
Enterprise T1105 输入工具传输

HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.[1][4]

Enterprise T1057 进程发现

HAFNIUM has used tasklist to enumerate processes.[4]
Enterprise T1018 远程系统发现

HAFNIUM has enumerated domain controllers using net group "Domain computers" and nltest /dclist.[4]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

HAFNIUM has exfiltrated data to file sharing sites, including MEGA.[1]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

HAFNIUM has hidden files on a compromised host.[4]
Enterprise T1095 非应用层协议

HAFNIUM has used TCP for C2.[1]

Software

ID Name References Techniques
S0073 ASPXSpy [2] 服务器软件组件: Web Shell
S0020 China Chopper [2][5][4] 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 暴力破解: Password Guessing, 服务器软件组件: Web Shell, 混淆文件或信息: Software Packing, 移除指标: Timestomp, 网络服务发现, 输入工具传输
S1155 Covenant HAFNIUM used Covenant for command and control following compromise of internet-facing servers.[1] Windows管理规范, 加密通道: Asymmetric Cryptography, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 系统二进制代理执行: Regsvr32, 系统二进制代理执行: InstallUtil, 系统二进制代理执行: Mshta, 系统信息发现, 非标准端口
S0357 Impacket [6] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0029 PsExec [2] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S1011 Tarrask [6] 伪装: Match Legitimate Name or Location, 伪装: Masquerade Task or Service, 修改注册表, 命令与脚本解释器: Windows Command Shell, 访问令牌操控: Token Impersonation/Theft, 隐藏伪装, 预定任务/作业: Scheduled Task

References

  1. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  2. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  4. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
  1. Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021.
  2. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  3. Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023.