Hafnium
Description
(Microsoft) HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.
In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments.
HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.
(Recorded Future) Coalition officials pinned the attacks on groups tracked as APT 31, Judgment Panda, Zirconium and Leviathan, APT 40, TEMP.Periscope by cybersecurity experts, according to a press release from the UK National Cyber Security Centre. Supporting statements were also issued by NATO, the UK government, the European Union Council, Australia, Japan, Canada, Latvia, Lithuania, Estonia, Slovenia, Finland, and Denmark.
Names
| Name | Name-Giver |
|---|---|
| Hafnium | Microsoft |
| Silk Typhoon | Microsoft |
| Red Dev 13 | PWC |
| Murky Panda | CrowdStrike |
Country
Sponsor
State-sponsored, Ministry of State Security
Motivation
- Information theft and espionage
First Seen
2021
Observed Countries
Tools
Operations
- 2021-12: Log4Shell attacks expand to nation-state groups from China, Iran, North Korea, and Turkey https://therecord.media/log4shell-attacks-expand-to-nation-state-groups-from-china-iran-north-korea-and-turkey/
- 2024 Late: Silk Typhoon targeting IT supply chain https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/
- 2024-12: US Treasury Department breached through remote support platform https://www.bleepingcomputer.com/news/security/us-treasury-department-breached-through-remote-support-platform/ https://www.bleepingcomputer.com/news/security/us-treasury-hack-linked-to-silk-typhoon-chinese-state-hackers/
- 2025-01: Treasury hackers also breached US foreign investments review office https://www.bleepingcomputer.com/news/security/treasury-hackers-also-breached-us-foreign-investments-review-office/
Counter Operations
- 2021-07: The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/
- 2025-01: Treasury Sanctions Technology Company for Support to Malicious Cyber Group https://home.treasury.gov/news/press-releases/jy2769 https://www.securityweek.com/china-protests-us-sanctions-for-its-alleged-role-in-hacking-complains-of-foreign-hacker-attacks/
Information
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://therecord.media/white-house-formally-blames-chinas-ministry-of-state-security-for-microsoft-exchange-hack/
- https://www.dropbox.com/s/dwiygk49pos4vqx/Whitepaper%204%20MS%20Exchange%200-days.pdf?dl=0
Mitre Attack
Other Information
Uuid
7c88c982-c383-4552-90b4-cbb67ec5240f
Last Card Change
2025-06-28