ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > Hafnium

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Hafnium

NamesHafnium (Microsoft)
CountryChina China
MotivationInformation theft and espionage
First seen2021
Description(Microsoft) HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.

In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments.

HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.
ObservedCountries: Worldwide.
Tools used4 MS Exchange 0-days.
Information<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>
<https://www.dropbox.com/s/dwiygk49pos4vqx/Whitepaper%204%20MS%20Exchange%200-days.pdf?dl=0>

Last change to this card: 16 June 2021

Download this actor card in PDF or JSON format

Previous: Hades
Next: Hexane

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key