HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.[1][2]

ID: G0125
Associated Groups: Operation Exchange Marauder
Contributors: Daniyal Naeem, BT Security; Matt Brenton, Zurich Insurance Group; Mayuresh Dani, Qualys; Harshal Tupsamudre, Qualys; Vinayak Wadhwa, SAFE Security
Version: 1.3
Created: 03 March 2021
Last Modified: 10 April 2023

Associated Group Descriptions

Name Description
Operation Exchange Marauder


Techniques Used

Domain ID Name Use
Enterprise T1098 Account Manipulation

HAFNIUM has granted privileges to domain accounts.[2]

Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

HAFNIUM has operated from leased virtual private servers (VPS) in the United States.[1]

.006 Acquire Infrastructure: Web Services

HAFNIUM has acquired web services for use in C2 and exfiltration.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

HAFNIUM has used open-source C2 frameworks, including Covenant.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.[1][2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.[1][2]

.003 Command and Scripting Interpreter: Windows Command Shell

HAFNIUM has used cmd.exe to execute commands on the victim's machine.[3]

Enterprise T1136 .002 Create Account: Domain Account

HAFNIUM has created domain accounts.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

HAFNIUM has used ASCII encoding for C2 traffic.[1]

Enterprise T1005 Data from Local System

HAFNIUM has collected data and files from a compromised machine.[3]

Enterprise T1114 .002 Email Collection: Remote Email Collection

HAFNIUM has used web shells to export mailbox data.[1][2]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

HAFNIUM has exfiltrated data to file sharing sites, including MEGA.[1]

Enterprise T1190 Exploit Public-Facing Application

HAFNIUM has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware.[1][2][4][5]

Enterprise T1083 File and Directory Discovery

HAFNIUM has searched file contents on a compromised host.[3]

Enterprise T1592 .004 Gather Victim Host Information: Client Configurations

HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.[1]

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

HAFNIUM has collected e-mail addresses for users they intended to target.[2]

Enterprise T1590 Gather Victim Network Information

HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim's environment.[2]

.005 IP Addresses

HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.[2]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

HAFNIUM has hidden files on a compromised host.[3]

Enterprise T1105 Ingress Tool Transfer

HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.[1][3]

Enterprise T1095 Non-Application Layer Protocol

HAFNIUM has used TCP for C2.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

HAFNIUM has used procdump to dump the LSASS process memory.[1][2][3]

.003 OS Credential Dumping: NTDS

HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).[2]

Enterprise T1057 Process Discovery

HAFNIUM has used tasklist to enumerate processes.[3]

Enterprise T1018 Remote System Discovery

HAFNIUM has enumerated domain controllers using net group "Domain computers" and nltest /dclist.[3]

Enterprise T1505 .003 Server Software Component: Web Shell

HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.[1][2][4][5][3]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

HAFNIUM has used rundll32 to load malicious DLLs.[2]

Enterprise T1016 System Network Configuration Discovery

HAFNIUM has collected IP information via IPInfo.[3]

.001 Internet Connection Discovery

HAFNIUM has checked for network connectivity from a compromised host using ping, including attempts to contact google[.]com.[3]

Enterprise T1033 System Owner/User Discovery

HAFNIUM has used whoami to gather user information.[3]

Enterprise T1078 .003 Valid Accounts: Local Accounts

HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.[4]


ID Name References Techniques
S0073 ASPXSpy [2] Server Software Component: Web Shell
S0020 China Chopper [2][4][3] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0357 Impacket [5] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, OS Credential Dumping: LSASS Memory, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0029 PsExec [2] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S1011 Tarrask [5] Access Token Manipulation: Token Impersonation/Theft, Command and Scripting Interpreter: Windows Command Shell, Hide Artifacts, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Modify Registry, Scheduled Task/Job: Scheduled Task