Nation-State Actor
Hafnium
China • Active since 2021
Hafnium found critical bugs in Microsoft Exchange email servers and hacked hundreds of thousands of organizations worldwide. This was one of the biggest hacking campaigns ever discovered.
Overview
Hafnium is a Chinese state-sponsored threat group responsible for the massive Microsoft Exchange Server exploitation campaign in 2021. They exploited ProxyLogon vulnerabilities affecting tens of thousands of organizations.
Also Known As
Silk Typhoon, Operation Exchange Marauder
Target Industries
All Industries, Research, Defense, Healthcare, Government
Target Regions
United States, Global
Is your business exposed?
Tactics, Techniques & Procedures
- • Zero-day exploitation
- • Web shell deployment
- • Credential dumping
- • Email harvesting
- • Living off the land
Known Tools & Malware
China Chopper, ASPXSPY, Covenant, Nishang, PowerCat
Notable Campaigns
ProxyLogon Exploitation (2021)
Mass exploitation of Exchange zero-days affecting 250,000+ organizations.
Data Exfiltration Operations (2021)
Systematic email harvesting from compromised Exchange servers.
MITRE ATT&CK Techniques
T1190, T1505.003, T1003, T1114, T1059.001
Defense Recommendations
- 1.
Patch Exchange servers immediately
- 2.
Scan for web shells on Exchange
- 3.
Review Exchange server logs for compromise
Related Threat Actors
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required