Skip to content

G0125 HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.21

Item Value
ID G0125
Associated Names Operation Exchange Marauder
Version 1.3
Created 03 March 2021
Last Modified 10 April 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Operation Exchange Marauder 1

Techniques Used

Domain ID Name Use
enterprise T1098 Account Manipulation HAFNIUM has granted privileges to domain accounts.1
enterprise T1583 Acquire Infrastructure -
enterprise T1583.003 Virtual Private Server HAFNIUM has operated from leased virtual private servers (VPS) in the United States.2
enterprise T1583.006 Web Services HAFNIUM has acquired web services for use in C2 and exfiltration.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols HAFNIUM has used open-source C2 frameworks, including Covenant.2
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.21
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.21
enterprise T1059.003 Windows Command Shell HAFNIUM has used cmd.exe to execute commands on the victim’s machine.3
enterprise T1136 Create Account -
enterprise T1136.002 Domain Account HAFNIUM has created domain accounts.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding HAFNIUM has used ASCII encoding for C2 traffic.2
enterprise T1005 Data from Local System HAFNIUM has collected data and files from a compromised machine.3
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection HAFNIUM has used web shells to export mailbox data.21
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage HAFNIUM has exfiltrated data to file sharing sites, including MEGA.2
enterprise T1190 Exploit Public-Facing Application HAFNIUM has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware.2145
enterprise T1083 File and Directory Discovery HAFNIUM has searched file contents on a compromised host.3
enterprise T1592 Gather Victim Host Information -
enterprise T1592.004 Client Configurations HAFNIUM has interacted with Office 365 tenants to gather details regarding target’s environments.2
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses HAFNIUM has collected e-mail addresses for users they intended to target.1
enterprise T1590 Gather Victim Network Information HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim’s environment.1
enterprise T1590.005 IP Addresses HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories HAFNIUM has hidden files on a compromised host.3
enterprise T1105 Ingress Tool Transfer HAFNIUM has downloaded malware and tools–including Nishang and PowerCat–onto a compromised host.23
enterprise T1095 Non-Application Layer Protocol HAFNIUM has used TCP for C2.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory HAFNIUM has used procdump to dump the LSASS process memory.213
enterprise T1003.003 NTDS HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).1
enterprise T1057 Process Discovery HAFNIUM has used tasklist to enumerate processes.3
enterprise T1018 Remote System Discovery HAFNIUM has enumerated domain controllers using net group "Domain computers" and nltest /dclist.3
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.21453
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 HAFNIUM has used rundll32 to load malicious DLLs.1
enterprise T1016 System Network Configuration Discovery HAFNIUM has collected IP information via IPInfo.3
enterprise T1016.001 Internet Connection Discovery HAFNIUM has checked for network connectivity from a compromised host using ping, including attempts to contact google[.]com.3
enterprise T1033 System Owner/User Discovery HAFNIUM has used whoami to gather user information.3
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.4

Software

ID Name References Techniques
S0073 ASPXSpy 1 Web Shell:Server Software Component
S0020 China Chopper 143 Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0357 Impacket 5 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0029 PsExec 1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S1011 Tarrask 5 Token Impersonation/Theft:Access Token Manipulation Windows Command Shell:Command and Scripting Interpreter Hide Artifacts Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Scheduled Task:Scheduled Task/Job

References

  1. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. 

  2. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. 

  3. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. 

  4. Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021. 

  5. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.