Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 2021 Microsoft Exchange Server data breach 2 2022 Tarrask Malware 3 Capabilities 4 See also 5 References

Hafnium (group)

●Bahasa Indonesia ●日本語 ●Norsk bokmål Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

Hafnium (sometimes styled HAFNIUM; also called Silk Typhoon by Microsoft^[1]) is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government.^[2]^[3]^[4] Hafnium is closely connected to APT40.^[5]

2021 Microsoft Exchange Server data breach

[edit]

Microsoft named Hafnium as the group responsible for the 2021 Microsoft Exchange Server data breach, and alleged they were "state-sponsored and operating out of China".^[3]^[4] According to Microsoft, they are based in China but primarily use United States-based virtual private servers,^[6] and have targeted "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs".^[7]

In July 2021, UK foreign secretary Dominic Raab said the attack had been performed by "Chinese state-backed groups" linked to the Ministry of State Security (MSS).^[8]^[9] The Chinese government has denied responsibility for the 2021 Microsoft breach.^[3]

The name "Hafnium" was assigned to the group by Microsoft, which publicly disclosed the group's activity on March 2, 2021. Microsoft described the group as "highly skilled and sophisticated".^[10]^[11] Hafnium is closely connected to APT40.^[5]

2022 Tarrask Malware

[edit]

Hafnium was linked to the creation of Tarrask, a defense evasion malware used on previous attacks. The malware was used on telecommunications, Internet service providers, and data service companies from August 2021 to February 2022. The malware uses scheduled task abuse to hide payloads delivered to servers.^[12]

Capabilities

[edit]

In March 2021, it was reported the group had access to the China Chopper web shell, which it has used in the 2021 Microsoft Exchange Server data breach to control hacked servers.^[13]^[14]^[8]

References

[edit]

^ "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.

^ "Microsoft accuses China over email cyber-attacks". BBC News. 3 March 2021. Archived from the original on 22 July 2021. Retrieved 10 March 2021.

^ ^a ^b ^c Kevin, Collier (9 March 2021). "'Really messy': Why the hack of Microsoft's email system is getting worse". NBC News. Archived from the original on 22 July 2021. Retrieved 10 March 2021.

^ ^a ^b "HAFNIUM targeting Exchange Servers with 0-day exploits". Microsoft Security. Microsoft. 2 March 2021. Archived from the original on 24 July 2021. Retrieved 10 March 2021.

^ ^a ^b Mackie, Kurt (19 July 2021). "White House Says China's APT40 Responsible for Exchange Hacks, Ransomware Attacks -- Redmondmag.com". Redmondmag. Archived from the original on 17 May 2022. Retrieved 24 April 2022.

^ Burt, Tom (2 March 2021). "New nation-state cyberattacks". Microsoft On the Issues. Microsoft. Archived from the original on 2 March 2021. Retrieved 10 March 2021.

^ ""Hack everybody you can": What to know about the massive Microsoft Exchange breach". www.cbsnews.com. Archived from the original on 15 March 2021. Retrieved 15 March 2021.

^ ^a ^b "China accused of cyber-attack on Microsoft Exchange servers". BBC. 19 July 2021. Archived from the original on 19 July 2021. Retrieved 19 July 2021.

^ Greenberg, Andy (5 March 2021). "Chinese Hacking Spree Hit an 'Astronomical' Number of Victims". Wired. ISSN 1059-1028. Archived from the original on 26 May 2021. Retrieved 10 March 2021.

^ "New nation-state cyberattacks". Microsoft On the Issues. 2 March 2021. Archived from the original on 2 March 2021. Retrieved 15 March 2021.

^ "'Active threat': Chinese hackers target 30,000 US entities". www.aljazeera.com. Archived from the original on 15 March 2021. Retrieved 15 March 2021.

^ "Microsoft Exposes Evasive Chinese Tarrask Malware Attacking Windows Computers". The Hacker News. Archived from the original on 17 April 2022. Retrieved 17 April 2022.

^ Osborne, Charlie. "Hafnium's China Chopper: a 'slick' and tiny web shell for creating server backdoors". ZDNet. Archived from the original on 15 March 2021. Retrieved 15 March 2021.

^ "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix". threatpost.com. 16 March 2021. Archived from the original on 16 March 2021. Retrieved 16 March 2021.

Hacking in the 2020s

← 2010s

Timeline

2030s →

Major incidents

2020	BlueLeaks Twitter account hijacking European Medicines Agency data breach Nintendo data leak United States federal government data breach EasyJet data breach Vastaamo data breach
2021	Microsoft Exchange Server breach Ivanti Pulse Connect Secure data breach Colonial Pipeline ransomware attack Health Service Executive ransomware attack Waikato District Health Board ransomware attack JBS S.A. ransomware attack Kaseya VSA ransomware attack Transnet ransomware attack Epik data breach FBI email hack National Rifle Association ransomware attack Banco de Oro hack
2022	Ukraine cyberattacks Red Cross data breach Anonymous and the Russian invasion of Ukraine Viasat hack DDoS attacks on Romania Costa Rican ransomware attack LastPass vault theft Shanghai police database leak Grand Theft Auto VI content leak
2023	Munster Technological University ransomware attack Evide data breach MOVEit data breach Insomniac Games data breach Polish railway cyberattack British Library cyberattack
2024	XZ Utils backdoor Kadokawa and Niconico

Groups

Individuals

Major vulnerabilities
publicly disclosed

SMBGhost (2020)
Thunderspy (2020)
PrintNightmare (2021)
FORCEDENTRY (2021)
Log4Shell (2021)
Account pre-hijacking (2022)
Retbleed (2022)
Downfall (2023)
LogoFAIL (2023)
Reptar (2023)
Terrapin (2023)
GoFetch (2024)

Malware

2020

2021

Predator

2022

Ministry of State Security

(MSS Headquarters: Yidongyuan Compound, Xiyuan, Haidian District, Beijing, China)

Organization

Headquarters bureaus	Confidential Communication International Intelligence Political & Economic Intelligence Taiwan, Hong Kong and Macao Analysis and Dissemination Operational Guidance Counterespionage Counterespionage Investigation Internal Security External Security CICIR Social Investigation Bureau CICEC CNITSEC Technical Reconnaissance Institute of Taiwan Studies Imaging Intelligence Enterprises United States California Counterterrorism
Municipal bureaus	Beijing Detention Centre Chongqing Shanghai Tianjin APT10
Provincial departments	Anhui Fujian Gansu Guangdong APT3 Guizhou Hainan APT40 Hebei Heilongjiang Henan Hubei APT31 Hunan Jiangsu APT26 Jiangxi Jilin Liaoning Qinghai Shaanxi Shandong Shanxi Sichuan Yunnan Zhejiang
Departments in autonomous regions	Guangxi Inner Mongolia Ningxia Tibet Xinjiang XPCC
Schools	University of International Relations Hangzhou [zh] Jiangnan Social University
Research institutes	Nanjing Institute of Information Technology
Front organizations	China Institute for Innovation and Development Strategy China National Technical Import and Export Corporation

Ministers

Major international
operations

Notable works

Activities by country

Retrieved from "https://en.wikipedia.org/w/index.php?title=Hafnium_(group)&oldid=1231546782" Categories: ●Chinese advanced persistent threat groups ●Hacking in the 2020s ●Information technology in China Hidden categories: ●Articles with short description ●Short description matches Wikidata ●Use dmy dates from March 2021 ●EngvarB from March 2021 ●This page was last edited on 28 June 2024, at 22:09 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view