HAFNIUM
Nation-state Espionage China Historical
Aliases: Silk Typhoon
Also seen as: Hafnium
- Mentions
- 4
- First seen
- 03 Nov 2021
- Last seen
- 30 Sept 2022
Relevant to you ยท Affects your stack
- Technology:
- Microsoft Windows Server 2022Microsoft Remote Desktop Gateway
- Threat focus:
- espionage / apt
- Sector / region:
- Manufacturing
Origin
China โ Chinese state-linked
Profile
HAFNIUM is a state-sponsored threat actor group that recently exploited multiple critical vulnerabilities in Microsoft Exchange Server, including CVE-2022-41082, CVE-2021-26858, CVE-2021-27065, and CVE-2021-26857. These vulnerabilities allowed remote code execution and were used in targeted attacks.
Affected vendors
Microsoft
How they operate (MITRE tactics)
Initial Access
Persistence
Lateral Movement
Recommended mitigations
Derived from MITRE ATT&CK, mapped to this actor's techniques.
- M1016 Vulnerability Scanning
- M1018 User Account Management
- M1019 Threat Intelligence Program
- M1021 Restrict Web-Based Content
- M1026 Privileged Account Management
- M1030 Network Segmentation
- M1033 Limit Software Installation
- M1035 Limit Access to Resource Over Network
- M1037 Filter Network Traffic
- M1038 Execution Prevention
- M1040 Behavior Prevention on Endpoint
- M1042 Disable or Remove Feature or Program
- M1045 Code Signing
- M1047 Audit
- M1048 Application Isolation and Sandboxing
- M1049 Antivirus/Antimalware
- M1050 Exploit Protection
- M1051 Update Software
Linked CVEs
- CVE-2022-41082 KEV CVSS 8.0 EPSS 91%
- CVE-2021-27065 KEV CVSS 7.8 EPSS 94%
- CVE-2021-26858 KEV CVSS 7.8 EPSS 74%
- CVE-2021-26857 KEV CVSS 7.8 EPSS 45%
Related actors
Share a CVE, technique or malware with this actor.
Activity (8 weeks)
Recent activity
- CVE-2022-41082 โ Microsoft Exchange Server Remote Code Execution Vulnerability CISA KEV
- CVE-2021-26858 โ Microsoft Exchange Server Remote Code Execution Vulnerability CISA KEV
- CVE-2021-27065 โ Microsoft Exchange Server Remote Code Execution Vulnerability CISA KEV
- CVE-2021-26857 โ Microsoft Exchange Server Remote Code Execution Vulnerability CISA KEV