HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.[1][2]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1098 | Account Manipulation | ||
Enterprise | T1583 | .003 | Acquire Infrastructure: Virtual Private Server |
HAFNIUM has operated from leased virtual private servers (VPS) in the United States.[1] |
.006 | Acquire Infrastructure: Web Services |
HAFNIUM has acquired web services for use in C2 and exfiltration.[1] |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
HAFNIUM has used open-source C2 frameworks, including Covenant.[1] |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.[1][2] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
HAFNIUM has used the Exchange Power Shell module |
.003 | Command and Scripting Interpreter: Windows Command Shell |
HAFNIUM has used |
||
Enterprise | T1136 | .002 | Create Account: Domain Account | |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
Enterprise | T1005 | Data from Local System |
HAFNIUM has collected data and files from a compromised machine.[4] |
|
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection | |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
HAFNIUM has exfiltrated data to file sharing sites, including MEGA.[1] |
Enterprise | T1190 | Exploit Public-Facing Application |
HAFNIUM has exploited CVE-2021-44228 in Log4j and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server.[1][2][5][6][7] |
|
Enterprise | T1083 | File and Directory Discovery |
HAFNIUM has searched file contents on a compromised host.[4] |
|
Enterprise | T1592 | .004 | Gather Victim Host Information: Client Configurations |
HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.[1] |
Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
HAFNIUM has collected e-mail addresses for users they intended to target.[2] |
Enterprise | T1590 | Gather Victim Network Information |
HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim's environment.[2] |
|
.005 | IP Addresses |
HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.[2] |
||
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories | |
Enterprise | T1105 | Ingress Tool Transfer |
HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.[1][4] |
|
Enterprise | T1095 | Non-Application Layer Protocol | ||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
HAFNIUM has used |
.003 | OS Credential Dumping: NTDS |
HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).[2] |
||
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1018 | Remote System Discovery |
HAFNIUM has enumerated domain controllers using |
|
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.[1][2][5][6][4] |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 | |
Enterprise | T1016 | System Network Configuration Discovery | ||
.001 | Internet Connection Discovery |
HAFNIUM has checked for network connectivity from a compromised host using |
||
Enterprise | T1033 | System Owner/User Discovery | ||
Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.[5] |