← threatfilter.dev / all groups / HAFNIUM
HAFNIUM
Also known as: Operation Exchange Marauder · Silk Typhoon
Overview
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 3 attributed custom malware families
TTPs — 44 techniques across 14 tactics
Reconnaissance
-
T1589.002Email Addresses -
T1590Gather Victim Network Information -
T1590.005IP Addresses -
T1592.004Client Configurations -
T1593.003Code Repositories
Resource Development
-
T1583.003Virtual Private Server -
T1583.005Botnet -
T1583.006Web Services -
T1584.005Botnet
Initial Access
Execution
-
T1059.001PowerShell -
T1059.003Windows Command Shell
Persistence
-
T1098Account Manipulation -
T1136.002Domain Account -
T1505.003Web Shell
Privilege Escalation
Stealth
-
T1078.003Local Accounts -
T1078.004Cloud Accounts -
T1218.011Rundll32 -
T1564.001Hidden Files and Directories
Defense Impairment
-
T1685.005Clear Windows Event Logs
Credential Access
-
T1003.001LSASS Memory -
T1003.003NTDS -
T1110.003Password Spraying -
T1555.006Cloud Secrets Management Stores
Discovery
-
T1016System Network Configuration Discovery -
T1016.001Internet Connection Discovery -
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1057Process Discovery -
T1083File and Directory Discovery
Lateral Movement
-
T1550.001Application Access Token
Collection
-
T1005Data from Local System -
T1114.002Remote Email Collection -
T1119Automated Collection -
T1213.002Sharepoint -
T1530Data from Cloud Storage -
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols -
T1095Non-Application Layer Protocol -
T1105Ingress Tool Transfer -
T1132.001Standard Encoding
Exfiltration
-
T1567.002Exfiltration to Cloud Storage
Tools & malware (6)
Tarrask · ASPXSpy · Impacket · PsExec · Covenant · China Chopper
Reporting (3)
- Silk Typhoon targeting IT supply chain — Microsoft Threat Intelligence
- How Microsoft names threat actors — Microsoft
- Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities — Gruzweig, J. et al