Hafnium (group)

Last updated

Hafnium (sometimes styled HAFNIUM) is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. [1] [2] [3] Hafnium is closely connected to APT40. [4]

Contents

2021 Microsoft Exchange Server data breach

Microsoft named Hafnium as the group responsible for the 2021 Microsoft Exchange Server data breach, and alleged they were "state-sponsored and operating out of China". [2] [3] According to Microsoft, they are based in China but primarily use United States-based virtual private servers, [5] and have targeted "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs". [6]

In July 2021, UK foreign secretary Dominic Raab said the attack had been performed by "Chinese state-backed groups" linked to the Ministry of State Security (MSS). [7] [8] The Chinese government has denied responsibility for the 2021 Microsoft breach. [2]

The name "Hafnium" was assigned to the group by Microsoft, which publicly disclosed the group's activity on March 2, 2021. Microsoft described the group as "highly skilled and sophisticated". [9] [10] Hafnium is closely connected to APT40. [4]

2022 Tarrask Malware

Hafnium was linked to the creation of Tarrask, a defense evasion malware used on previous attacks. The malware was used on telecommunications, Internet service providers, and data service companies from August 2021 to February 2022. The malware uses scheduled task abuse to hide payloads delivered to servers. [11]

Capabilities

In March 2021, it was reported the group had access to the China Chopper web shell, which it has used in the 2021 Microsoft Exchange Server data breach to control hacked servers. [12] [13] [7]

See also

Related Research Articles

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a nation

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

<span class="mw-page-title-main">Advanced persistent threat</span> Set of stealthy and continuous computer hacking processes

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat groups, against other countries.

<span class="mw-page-title-main">Cyberattack</span> Attack on a computer system

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); this view is shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Fancy Bear is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on one of the buildings collapsed as a result of the explosion.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

China Chopper is a web shell approximately 4 kilobytes in size, first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. This web shell has two parts, the client interface and the receiver host file on the compromised web server.

Charming Kitten is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

On April 20, 2021, it was reported that suspected Chinese-state backed hacker groups had breached multiple government agencies, defense companies and financial institutions in both the US and Europe after the hackers created and used a Zero-day exploit for Ivanti Pulse Connect Secure VPN devices. A Cybersecurity and Infrastructure Security Agency alert reported that the attacks using the exploited started in June 2020 or earlier. The attacks are believed to be the third major data breach against the U.S. in the past year behind the 2020 United States federal government data breach and the 2021 Microsoft Exchange Server data breach.

APT40 is an advanced persistent threat located in Haikou, Hainan Province, People's Republic of China (PRC), and has been active since at least 2009. APT40 has targeted governmental organizations, companies, and universities in a wide range of industries, including biomedical, robotics, and maritime research, across the United States, Canada, Europe, the Middle East, and the South China Sea area, as well as industries included in China's Belt and Road Initiative.

References

  1. "Microsoft accuses China over email cyber-attacks". BBC News . 3 March 2021. Retrieved 10 March 2021.
  2. 1 2 3 Kevin, Collier (9 March 2021). "'Really messy': Why the hack of Microsoft's email system is getting worse". NBC News . Retrieved 10 March 2021.
  3. 1 2 "HAFNIUM targeting Exchange Servers with 0-day exploits". Microsoft Security. Microsoft. 2 March 2021. Retrieved 10 March 2021.
  4. 1 2 Mackie, Kurt (19 July 2021). "White House Says China's APT40 Responsible for Exchange Hacks, Ransomware Attacks -- Redmondmag.com". Redmondmag. Retrieved 24 April 2022.
  5. Burt, Tom (2 March 2021). "New nation-state cyberattacks". Microsoft On the Issues. Microsoft . Retrieved 10 March 2021.
  6. ""Hack everybody you can": What to know about the massive Microsoft Exchange breach". www.cbsnews.com. Retrieved 15 March 2021.
  7. 1 2 "China accused of cyber-attack on Microsoft Exchange servers". BBC . 19 July 2021. Retrieved 19 July 2021.
  8. Greenberg, Andy (5 March 2021). "Chinese Hacking Spree Hit an 'Astronomical' Number of Victims". Wired . ISSN   1059-1028 . Retrieved 10 March 2021.
  9. "New nation-state cyberattacks". Microsoft On the Issues. 2 March 2021. Retrieved 15 March 2021.
  10. "'Active threat': Chinese hackers target 30,000 US entities". www.aljazeera.com. Retrieved 15 March 2021.
  11. "Microsoft Exposes Evasive Chinese Tarrask Malware Attacking Windows Computers". The Hacker News. Retrieved 17 April 2022.
  12. Osborne, Charlie. "Hafnium's China Chopper: a 'slick' and tiny web shell for creating server backdoors". ZDNet. Retrieved 15 March 2021.
  13. "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix". threatpost.com. Retrieved 16 March 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.