Hafnium (group) explained

Hafnium (sometimes styled HAFNIUM; also called Silk Typhoon by Microsoft[1]) is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government.[2] [3] [4] Hafnium is closely connected to APT40.[5]

2021 Microsoft Exchange Server data breach

See main article: 2021 Microsoft Exchange Server data breach.

Microsoft named Hafnium as the group responsible for the 2021 Microsoft Exchange Server data breach, and alleged they were "state-sponsored and operating out of China". According to Microsoft, they are based in China but primarily use United States-based virtual private servers,[6] and have targeted "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs".[7]

In July 2021, UK foreign secretary Dominic Raab said the attack had been performed by "Chinese state-backed groups" linked to the Ministry of State Security (MSS).[8] [9] The Chinese government has denied responsibility for the 2021 Microsoft breach.

The name "Hafnium" was assigned to the group by Microsoft, which publicly disclosed the group's activity on March 2, 2021. Microsoft described the group as "highly skilled and sophisticated".[10] [11] Hafnium is closely connected to APT40.

2022 Tarrask Malware

Hafnium was linked to the creation of Tarrask, a defense evasion malware used on previous attacks. The malware was used on telecommunications, Internet service providers, and data service companies from August 2021 to February 2022. The malware uses scheduled task abuse to hide payloads delivered to servers.[12]

Capabilities

In March 2021, it was reported the group had access to the China Chopper web shell, which it has used in the 2021 Microsoft Exchange Server data breach to control hacked servers.[13] [14]

See also

Notes and References

  1. Web site: How Microsoft names threat actors . Microsoft . 21 January 2024.
  2. News: 3 March 2021. Microsoft accuses China over email cyber-attacks. en-GB. BBC News. 10 March 2021. 22 July 2021. https://web.archive.org/web/20210722050937/https://www.bbc.com/news/business-56261516. live.
  3. News: Kevin. Collier. 9 March 2021. 'Really messy': Why the hack of Microsoft's email system is getting worse. NBC News. 10 March 2021. 22 July 2021. https://web.archive.org/web/20210722045436/https://www.nbcnews.com/tech/security/really-messy-hack-microsofts-email-system-getting-worse-rcna377. live.
  4. Web site: 2 March 2021. HAFNIUM targeting Exchange Servers with 0-day exploits. 10 March 2021. Microsoft Security. Microsoft. en-US. 24 July 2021. https://web.archive.org/web/20210724073915/https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/. live.
  5. Web site: White House Says China's APT40 Responsible for Exchange Hacks, Ransomware Attacks -- Redmondmag.com . Mackie . Kurt . Redmondmag . July 19, 2021 . April 24, 2022 . 17 May 2022 . https://web.archive.org/web/20220517211043/https://redmondmag.com/articles/2021/07/19/china-apt40-exchange-attacks.aspx . live .
  6. Web site: Burt. Tom. 2 March 2021. New nation-state cyberattacks. 10 March 2021. Microsoft On the Issues. Microsoft. en-US. 2 March 2021. https://web.archive.org/web/20210302211855/https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/. live.
  7. News: "Hack everybody you can": What to know about the massive Microsoft Exchange breach . 15 March 2021 . www.cbsnews.com . 15 March 2021 . https://web.archive.org/web/20210315003812/https://www.cbsnews.com/news/microsoft-exchange-server-hack-what-to-know/ . live .
  8. News: 19 July 2021. China accused of cyber-attack on Microsoft Exchange servers. BBC. 19 July 2021. 19 July 2021. https://web.archive.org/web/20210719122422/https://www.bbc.com/news/world-asia-china-57889981. live.
  9. Greenberg. Andy. Andy Greenberg. 5 March 2021. Chinese Hacking Spree Hit an 'Astronomical' Number of Victims. en-us. Wired. 10 March 2021. 1059-1028. 26 May 2021. https://web.archive.org/web/20210526020723/https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/. live.
  10. News: New nation-state cyberattacks . 15 March 2021 . Microsoft On the Issues . 2 March 2021 . 2 March 2021 . https://web.archive.org/web/20210302211855/https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/ . live .
  11. News: 'Active threat': Chinese hackers target 30,000 US entities . 15 March 2021 . www.aljazeera.com . en . 15 March 2021 . https://web.archive.org/web/20210315025334/https://www.aljazeera.com/news/2021/3/6/active-threat-chinese-hackers-target-30000-us-entities . live .
  12. Web site: Microsoft Exposes Evasive Chinese Tarrask Malware Attacking Windows Computers . 2022-04-17 . The Hacker News . en . 17 April 2022 . https://web.archive.org/web/20220417111153/https://thehackernews.com/2022/04/microsoft-exposes-evasive-chinese.html . live .
  13. Web site: Osborne. Charlie. Hafnium's China Chopper: a 'slick' and tiny web shell for creating server backdoors. 2021-03-15. ZDNet. en. 15 March 2021. https://web.archive.org/web/20210315140601/https://www.zdnet.com/article/hafniums-china-chopper-a-slick-and-tiny-web-shell-for-creating-server-backdoors/. live.
  14. Web site: Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix. 2021-03-16. threatpost.com. 16 March 2021 . en. 16 March 2021. https://web.archive.org/web/20210316165816/https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/. live.