Skip to content

G0125 HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.21

Item Value
ID G0125
Associated Names Operation Exchange Marauder
Version 1.1
Created 03 March 2021
Last Modified 16 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Operation Exchange Marauder 1

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.003 Virtual Private Server HAFNIUM has operated from leased virtual private servers (VPS) in the United States.2
enterprise T1583.006 Web Services HAFNIUM has acquired web services for use in C2 and exfiltration.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols HAFNIUM has used open-source C2 frameworks, including Covenant.2
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.21
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.21
enterprise T1136 Create Account -
enterprise T1136.002 Domain Account HAFNIUM has created and granted privileges to domain accounts.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding HAFNIUM has used ASCII encoding for C2 traffic.2
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection HAFNIUM has used web shells to export mailbox data.21
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage HAFNIUM has exfiltrated data to file sharing sites, including MEGA.2
enterprise T1190 Exploit Public-Facing Application HAFNIUM has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware.213
enterprise T1592 Gather Victim Host Information -
enterprise T1592.004 Client Configurations HAFNIUM has interacted with Office 365 tenants to gather details regarding target’s environments.2
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses HAFNIUM has collected e-mail addresses for users they intended to target.1
enterprise T1590 Gather Victim Network Information HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim’s environment.1
enterprise T1590.005 IP Addresses HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.1
enterprise T1105 Ingress Tool Transfer HAFNIUM has downloaded malware and tools–including Nishang and PowerCat–onto a compromised host.2
enterprise T1095 Non-Application Layer Protocol HAFNIUM has used TCP for C2.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory HAFNIUM has used procdump to dump the LSASS process memory.21
enterprise T1003.003 NTDS HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.213
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 HAFNIUM has used rundll32 to load malicious DLLs.1
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.3

Software

ID Name References Techniques
S0073 ASPXSpy - Web Shell:Server Software Component
S0020 China Chopper - Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal on Host Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services

References

Back to top