Hafnium (group)

Last updated

Hafnium (sometimes styled HAFNIUM; also called Silk Typhoon by Microsoft [1] ) is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. [2] [3] [4] Hafnium is closely connected to APT40. [5]

Contents

2021 Microsoft Exchange Server data breach

Microsoft named Hafnium as the group responsible for the 2021 Microsoft Exchange Server data breach, and alleged they were "state-sponsored and operating out of China". [3] [4] According to Microsoft, they are based in China but primarily use United States–based virtual private servers, [6] and have targeted "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs". [7]

In July 2021, UK foreign secretary Dominic Raab said the attack had been performed by "Chinese state-backed groups" linked to the Ministry of State Security (MSS). [8] [9] The Chinese government has denied responsibility for the 2021 Microsoft breach. [3]

The name "Hafnium" was assigned to the group by Microsoft, which publicly disclosed the group's activity on March 2, 2021. Microsoft described the group as "highly skilled and sophisticated". [10] [11] Hafnium is closely connected to APT40. [5]

2022 Tarrask Malware

Hafnium was linked to the creation of Tarrask, a defense evasion malware used on previous attacks. The malware was used on telecommunications, Internet service providers, and data service companies from August 2021 to February 2022. The malware uses scheduled task abuse to hide payloads delivered to servers. [12]

Capabilities

In March 2021, it was reported the group had access to the China Chopper web shell, which it has used in the 2021 Microsoft Exchange Server data breach to control hacked servers. [13] [14] [8]

See also

Related Research Articles

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Operation Aurora was a series of cyber attacks performed by advanced persistent threats such as the Elderwood Group based in Beijing, China, with associations with the People's Liberation Army. First disclosed publicly by Google on January 12, 2010, by a weblog post, the attacks began in mid-2009 and continued through December 2009.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

Cyberwarfare is a part of the Iranian government's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field. Since November 2010, an organization called "The Cyber Defense Command" has been operating in Iran under the supervision of the country's "Passive Civil Defense Organization" which is itself a subdivision of the Joint Staff of Iranian Armed Forces.

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

China Chopper is a web shell approximately 4 kilobytes in size, first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. This web shell has two parts, the client interface and the receiver host file on the compromised web server.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include APT44, Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

APT40, also known as BRONZE MOHAWK, FEVERDREAM, G0065, GADOLINIUM, Gingham Typhoon, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper, is an advanced persistent threat operated by the Hainan State Security Department, a branch of the Chinese Ministry of State Security located in Haikou, Hainan, China, and has been active since at least 2009.

In Q2 of 2013, Akamai Technologies reported that Indonesia topped China with a portion 38 percent of cyber attacks, an increase from the 21 percent portion in the previous quarter. China was at 33 percent and the US at 6.9 percent. 79 percent of attacks came from the Asia Pacific region. Indonesia dominated the attacking to ports 80 and 443 by about 90 percent.

References

  1. "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
  2. "Microsoft accuses China over email cyber-attacks". BBC News . 3 March 2021. Archived from the original on 22 July 2021. Retrieved 10 March 2021.
  3. 1 2 3 Kevin, Collier (9 March 2021). "'Really messy': Why the hack of Microsoft's email system is getting worse". NBC News . Archived from the original on 22 July 2021. Retrieved 10 March 2021.
  4. 1 2 "HAFNIUM targeting Exchange Servers with 0-day exploits". Microsoft Security. Microsoft. 2 March 2021. Archived from the original on 24 July 2021. Retrieved 10 March 2021.
  5. 1 2 Mackie, Kurt (19 July 2021). "White House Says China's APT40 Responsible for Exchange Hacks, Ransomware Attacks -- Redmondmag.com". Redmondmag. Archived from the original on 17 May 2022. Retrieved 24 April 2022.
  6. Burt, Tom (2 March 2021). "New nation-state cyberattacks". Microsoft On the Issues. Microsoft. Archived from the original on 2 March 2021. Retrieved 10 March 2021.
  7. ""Hack everybody you can": What to know about the massive Microsoft Exchange breach". www.cbsnews.com. Archived from the original on 15 March 2021. Retrieved 15 March 2021.
  8. 1 2 "China accused of cyber-attack on Microsoft Exchange servers". BBC . 19 July 2021. Archived from the original on 19 July 2021. Retrieved 19 July 2021.
  9. Greenberg, Andy (5 March 2021). "Chinese Hacking Spree Hit an 'Astronomical' Number of Victims". Wired . ISSN   1059-1028. Archived from the original on 26 May 2021. Retrieved 10 March 2021.
  10. "New nation-state cyberattacks". Microsoft On the Issues. 2 March 2021. Archived from the original on 2 March 2021. Retrieved 15 March 2021.
  11. "'Active threat': Chinese hackers target 30,000 US entities". www.aljazeera.com. Archived from the original on 15 March 2021. Retrieved 15 March 2021.
  12. "Microsoft Exposes Evasive Chinese Tarrask Malware Attacking Windows Computers". The Hacker News. Archived from the original on 17 April 2022. Retrieved 17 April 2022.
  13. Osborne, Charlie. "Hafnium's China Chopper: a 'slick' and tiny web shell for creating server backdoors". ZDNet. Archived from the original on 15 March 2021. Retrieved 15 March 2021.
  14. "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix". threatpost.com. 16 March 2021. Archived from the original on 16 March 2021. Retrieved 16 March 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.