HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.[1][2]

ID: G0125
Associated Groups: Operation Exchange Marauder, Silk Typhoon
Contributors: Daniyal Naeem, BT Security; Matt Brenton, Zurich Insurance Group; Mayuresh Dani, Qualys; Harshal Tupsamudre, Qualys; Vinayak Wadhwa, SAFE Security
Version: 2.0
Created: 03 March 2021
Last Modified: 08 January 2024

Associated Group Descriptions

Name Description
Operation Exchange Marauder

[2]

Silk Typhoon

[3]

Techniques Used

Domain ID Name Use
Enterprise T1098 Account Manipulation

HAFNIUM has granted privileges to domain accounts.[2]

Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

HAFNIUM has operated from leased virtual private servers (VPS) in the United States.[1]

.006 Acquire Infrastructure: Web Services

HAFNIUM has acquired web services for use in C2 and exfiltration.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

HAFNIUM has used open-source C2 frameworks, including Covenant.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.[1][2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.[1][2]

.003 Command and Scripting Interpreter: Windows Command Shell

HAFNIUM has used cmd.exe to execute commands on the victim's machine.[4]

Enterprise T1136 .002 Create Account: Domain Account

HAFNIUM has created domain accounts.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

HAFNIUM has used ASCII encoding for C2 traffic.[1]

Enterprise T1005 Data from Local System

HAFNIUM has collected data and files from a compromised machine.[4]

Enterprise T1114 .002 Email Collection: Remote Email Collection

HAFNIUM has used web shells to export mailbox data.[1][2]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

HAFNIUM has exfiltrated data to file sharing sites, including MEGA.[1]

Enterprise T1190 Exploit Public-Facing Application

HAFNIUM has exploited CVE-2021-44228 in Log4j and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server.[1][2][5][6][7]

Enterprise T1083 File and Directory Discovery

HAFNIUM has searched file contents on a compromised host.[4]

Enterprise T1592 .004 Gather Victim Host Information: Client Configurations

HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.[1]

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

HAFNIUM has collected e-mail addresses for users they intended to target.[2]

Enterprise T1590 Gather Victim Network Information

HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim's environment.[2]

.005 IP Addresses

HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.[2]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

HAFNIUM has hidden files on a compromised host.[4]

Enterprise T1105 Ingress Tool Transfer

HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.[1][4]

Enterprise T1095 Non-Application Layer Protocol

HAFNIUM has used TCP for C2.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

HAFNIUM has used procdump to dump the LSASS process memory.[1][2][4]

.003 OS Credential Dumping: NTDS

HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).[2]

Enterprise T1057 Process Discovery

HAFNIUM has used tasklist to enumerate processes.[4]

Enterprise T1018 Remote System Discovery

HAFNIUM has enumerated domain controllers using net group "Domain computers" and nltest /dclist.[4]

Enterprise T1505 .003 Server Software Component: Web Shell

HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.[1][2][5][6][4]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

HAFNIUM has used rundll32 to load malicious DLLs.[2]

Enterprise T1016 System Network Configuration Discovery

HAFNIUM has collected IP information via IPInfo.[4]

.001 Internet Connection Discovery

HAFNIUM has checked for network connectivity from a compromised host using ping, including attempts to contact google[.]com.[4]

Enterprise T1033 System Owner/User Discovery

HAFNIUM has used whoami to gather user information.[4]

Enterprise T1078 .003 Valid Accounts: Local Accounts

HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.[5]

Software

ID Name References Techniques
S0073 ASPXSpy [2] Server Software Component: Web Shell
S0020 China Chopper [2][5][4] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S1155 Covenant HAFNIUM used Covenant for command and control following compromise of internet-facing servers.[1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Asymmetric Cryptography, Non-Standard Port, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: InstallUtil, System Binary Proxy Execution: Mshta, System Information Discovery, Windows Management Instrumentation
S0357 Impacket [6] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0029 PsExec [2] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S1011 Tarrask [6] Access Token Manipulation: Token Impersonation/Theft, Command and Scripting Interpreter: Windows Command Shell, Hide Artifacts, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Modify Registry, Scheduled Task/Job: Scheduled Task

References