← All Threat Actors
Threat Actor Profile

HAFNIUM

ATK233 G0125 MURKY PANDA Operation Exchange Marauder Red Dev 13 Silk Typhoon
▲ High Threat
HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.
Origin China

Known TTPs

Client Configurations
Password Spraying
Ingress Tool Transfer
Web Services
Archive via Utility
Data from Local System
Botnet
System Owner/User Discovery
Sharepoint
Exploitation for Privilege Escalation
Botnet
Windows Command Shell
Process Discovery
LSASS Memory
Data from Cloud Storage
Automated Collection
Gather Victim Network Information
Web Shell
Email Addresses
Cloud Secrets Management Stores
Code Repositories
Exfiltration to Cloud Storage
Remote Email Collection
Rundll32
Local Accounts
PowerShell
Hidden Files and Directories
Internet Connection Discovery
System Network Configuration Discovery
IP Addresses
Trusted Relationship
Cloud Accounts
File and Directory Discovery
NTDS
Account Manipulation
Domain Account
Web Protocols
Remote System Discovery
Application Access Token
Clear Windows Event Logs
Exploit Public-Facing Application
Non-Application Layer Protocol
Standard Encoding
Virtual Private Server

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD