Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа HAFNIUM
Риски
Каталоги
MITRE ATT&CK
Преступная группа
HAFNIUM
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: Microsoft Silk Typhoon MAR 2025)
ID: G0125
Associated Groups: Operation Exchange Marauder, Silk Typhoon
Version: 3.0
Created: 03 Mar 2021
Last Modified: 25 Mar 2025

Associated Group Descriptions
Name Description
Operation Exchange Marauder (Citation: Volexity Exchange Marauder March 2021)
Silk Typhoon (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Microsoft Silk Typhoon MAR 2025)

Techniques Used
Domain ID Name Use
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

HAFNIUM has operated from leased virtual private servers (VPS) in the United States.(Citation: Microsoft HAFNIUM March 2020)
.005 Acquire Infrastructure: Botnet

HAFNIUM has incorporated leased devices into covert networks to obfuscate communications.(Citation: Microsoft Silk Typhoon MAR 2025)

.006 Acquire Infrastructure: Web Services

HAFNIUM has acquired web services for use in C2 and exfiltration.(Citation: Microsoft HAFNIUM March 2020)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

HAFNIUM has used open-source C2 frameworks, including Covenant.(Citation: Microsoft HAFNIUM March 2020)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)
Enterprise T1110 .003 Brute Force: Password Spraying

HAFNIUM has gained initial access through password spray attacks.(Citation: Microsoft Silk Typhoon MAR 2025)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)
.003 Command and Scripting Interpreter: Windows Command Shell

HAFNIUM has used `cmd.exe` to execute commands on the victim's machine.(Citation: Rapid7 HAFNIUM Mar 2021)

Enterprise T1584 .005 Compromise Infrastructure: Botnet

HAFNIUM has used compromised devices in covert networks to obfuscate communications.(Citation: Microsoft Silk Typhoon MAR 2025)
Enterprise T1136 .002 Create Account: Domain Account

HAFNIUM has created domain accounts.(Citation: Volexity Exchange Marauder March 2021)(Citation: Microsoft Silk Typhoon MAR 2025)
Enterprise T1555 .006 Credentials from Password Stores: Cloud Secrets Management Stores

HAFNIUM has moved laterally from on-premises environments to steal passwords from Azure key vaults.(Citation: Microsoft Silk Typhoon MAR 2025)
Enterprise T1132 .001 Data Encoding: Standard Encoding

HAFNIUM has used ASCII encoding for C2 traffic.(Citation: Microsoft HAFNIUM March 2020)
Enterprise T1213 .002 Data from Information Repositories: Sharepoint

HAFNIUM has abused compromised credentials to exfiltrate data from SharePoint.(Citation: Microsoft Silk Typhoon MAR 2025)
Enterprise T1114 .002 Email Collection: Remote Email Collection

HAFNIUM has used web shells and MSGraph to export mailbox data.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: Microsoft Silk Typhoon MAR 2025)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

HAFNIUM has exfiltrated data to file sharing sites, including MEGA.(Citation: Microsoft HAFNIUM March 2020)
Enterprise T1592 .004 Gather Victim Host Information: Client Configurations

HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.(Citation: Microsoft HAFNIUM March 2020)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

HAFNIUM has collected e-mail addresses for users they intended to target.(Citation: Volexity Exchange Marauder March 2021)
Enterprise T1590 .005 Gather Victim Network Information: IP Addresses

HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.(Citation: Volexity Exchange Marauder March 2021)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

HAFNIUM has hidden files on a compromised host.(Citation: Rapid7 HAFNIUM Mar 2021)
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

HAFNIUM has cleared actor-performed actions from logs.(Citation: Microsoft Silk Typhoon MAR 2025)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

HAFNIUM has used procdump to dump the LSASS process memory.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: Rapid7 HAFNIUM Mar 2021)
.003 OS Credential Dumping: NTDS

HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).(Citation: Volexity Exchange Marauder March 2021)(Citation: Microsoft Silk Typhoon MAR 2025)

Enterprise T1593 .003 Search Open Websites/Domains: Code Repositories

HAFNIUM has discovered leaked corporate credentials on public repositories including GitHub.(Citation: Microsoft Silk Typhoon MAR 2025)
Enterprise T1505 .003 Server Software Component: Web Shell

HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: FireEye Exchange Zero Days March 2021)(Citation: Tarrask scheduled task)(Citation: Rapid7 HAFNIUM Mar 2021)(Citation: Microsoft Silk Typhoon MAR 2025)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

HAFNIUM has used rundll32 to load malicious DLLs.(Citation: Volexity Exchange Marauder March 2021)
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

HAFNIUM has checked for network connectivity from a compromised host using `ping`, including attempts to contact `google[.]com`.(Citation: Rapid7 HAFNIUM Mar 2021)
Enterprise T1550 .001 Use Alternate Authentication Material: Application Access Token

HAFNIUM has abused service principals with administrative permissions for data exfiltration.(Citation: Microsoft Silk Typhoon MAR 2025)
Enterprise T1078 .003 Valid Accounts: Local Accounts

HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.(Citation: FireEye Exchange Zero Days March 2021)
.004 Valid Accounts: Cloud Accounts

HAFNIUM has abused service principals in compromised environments to enable data exfiltration.(Citation: Microsoft Silk Typhoon MAR 2025)

Software
ID Name References Techniques
S1155 Covenant (Citation: Github Covenant) (Citation: Microsoft HAFNIUM March 2020) (Citation: Microsoft Silk Typhoon MAR 2025) Windows Management Instrumentation, InstallUtil, System Information Discovery, Mshta, PowerShell, Non-Standard Port, Regsvr32, Asymmetric Cryptography, Windows Command Shell, Web Protocols
S0357 Impacket (Citation: Impacket Tools) (Citation: Tarrask scheduled task) Windows Management Instrumentation, Security Account Manager, LSA Secrets, Network Sniffing, Ccache Files, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Lateral Tool Transfer, NTDS, Service Execution, Kerberoasting
S0073 ASPXSpy (Citation: Dell TG-3390) (Citation: Volexity Exchange Marauder March 2021) Web Shell
S0020 China Chopper (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye Exchange Zero Days March 2021) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) (Citation: Rapid7 HAFNIUM Mar 2021) (Citation: Volexity Exchange Marauder March 2021) Password Guessing, Data from Local System, Timestomp, Web Shell, File and Directory Discovery, Windows Command Shell, Software Packing, Web Protocols, Network Service Discovery, Ingress Tool Transfer
S1011 Tarrask (Citation: Tarrask scheduled task) Scheduled Task, Match Legitimate Resource Name or Location, Hide Artifacts, Modify Registry, Masquerade Task or Service, Token Impersonation/Theft, Windows Command Shell
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Volexity Exchange Marauder March 2021) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  2. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  4. Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021.
  5. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  6. Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
  7. Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023.
  8. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.