HAFNIUM

Threat Actor updated 3 months ago (2024-11-29T14:31:36.985Z)

Download STIX

Preview STIX

HAFNIUM, also known as Silk Typhoon, is a threat actor group originating from China that has been involved in several significant cyber-attacks. They have exploited vulnerabilities in Microsoft Exchange Server software and Zoho products, using methods such as web shells for remote access and unconventional techniques to tamper with scheduled tasks for establishing persistent connections. One notable method involves modifying registry keys in their Tarrask malware to establish persistence and conceal malicious activity on infected endpoints. HAFNIUM has also used the Windows Task Scheduler to execute hidden scheduled tasks, allowing their malware to evade detection. In March 2021, the Exchange Server team released a script to check for HAFNIUM indicators of compromise (IOCs). The group's activities were marked by executing encoded PowerShell commands and using the type command to view the contents of possible webshell files named outlooken.aspx. Rapid7 observed the execution of Procudmp.exe commands via the China Chopper webshell, writing the memory contents of the lsass.exe process to disk. Furthermore, traces tying HAFNIUM to the ShadowPad malware and UNC2643 activity were found, along with Cobalt Strike beacons. The filename system_web.aspx was identified as a known IOC of Hafnium. The level of escalation in the use of exploits by HAFNIUM and its subsequent use by other actors suggests that the same exploit may have been shared or leaked. This was evidenced by the observation of exploitation of the same victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. In 2021, there was a surge in incidents due to HAFNIUM exploiting a Microsoft Exchange Server bug. However, the numbers for the first half of 2023 were significantly higher than the second half of 2022 when cyber incident reports almost ground to a halt.

Description last updated: 2024-11-28T11:44:57.374Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Silk Typhoon is a possible alias for HAFNIUM. Silk Typhoon, also known as Hafnium, is a state-sponsored threat actor originating from China. The group first came to prominence in March 2021 when it was linked to the exploitation of Microsoft Exchange Server vulnerabilities. This group has been particularly noted for its use of Exchange PowerShe	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Exploit

State Sponso...

Vulnerability

Malware

Exploits

Zero Day

Apt

Espionage

exploited

Iis

Windows

exploitation

Web Shell

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The China Chopper Malware is associated with HAFNIUM. China Chopper is a well-known malware that has been used extensively by Chinese-speaking actors, including the BRONZE UNION group. The malware is designed to exploit and damage computer systems, often without the knowledge of the user. It can infiltrate systems through suspicious downloads, emails,	Unspecified	2

Source Document References

Information about the HAFNIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	5 days ago	Silk Typhoon Shifts Tactics to Exploit Common IT Solutions
Securelist	3 months ago	Kaspersky report on APT trends in Q3 2024
ESET	10 months ago	To the Moon and back(doors): Lunar landing in diplomatic missions
DARKReading	a year ago	FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of telecommunication companies, internet service providers, and the data services sector
CERT-EU	a year ago	UK finance firms faced a torrent of ransomware attacks in 2023 as threat actors ramped up activities \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Hackers Modifying Registry Keys and Establishing Persistence \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Q4 2023 Security Use Cases: Insights From Success Services
MITRE	a year ago	Analyzing Attacker Behavior Post-Exploitation of MS Exchange \| Rapid7 Blog
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of U.S. federal civilian agency
CERT-EU	a year ago	Reflecting on 20 years of Patch Tuesday \| MSRC Blog \| Microsoft Security Response Center
CERT-EU	a year ago	Chinese Silent Skimmer Attack Hits APAC and NALA Online Payment Firms
DARKReading	a year ago	Payment Card-Skimming Campaign Now Targeting Websites in North America
CERT-EU	2 years ago	Nation-state actor targets govts in the Middle East and Africa using rare techniques
CERT-EU	2 years ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of U.S. federal civilian agency
CERT-EU	2 years ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of organizations via Microsoft Exchange Server vulnerability
CERT-EU	2 years ago	View the latest outbreak alerts on cyber-attacks \| FortiGuard Labs
CERT-EU	2 years ago	Cyber Command to expand 'canary in the coal mine' unit working with private sector
CERT-EU	2 years ago	Three of the world's most expensive phishing attacks... and how they could have been prevented
CERT-EU	2 years ago	State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments