HAFNIUM

APT / StateG0125
OriginChina
Techniques (MITRE ATT&CK)44
SourceMITRE ATT&CK
Also known as:Operation Exchange MarauderSilk Typhoon

Vexday analysis

HAFNIUM é um grupo de espionagem cibernética com provável patrocínio estatal, originário da China, ativo pelo menos desde janeiro de 2021 e rastreado pela MITRE ATT&CK sob o identificador G0125. O grupo — também referenciado como Operation Exchange Marauder e Silk Typhoon — tem como alvo prioritário entidades nos Estados Unidos em setores variados, incluindo pesquisa de doenças infecciosas, escritórios de advocacia, instituições de ensino superior, contratantes de defesa, centros de pesquisa em políticas públicas e ONGs. Entre as táticas documentadas, destaca-se o uso de ferramentas de gerenciamento remoto e software em nuvem para acesso inicial, além da capacidade demonstrada de operacionalizar rapidamente exploits para vulnerabilidades identificadas em dispositivos de borda — com 2 CVEs atribuídas e 44 técnicas ATT&CK mapeadas.

Techniques (MITRE ATT&CK) 44

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Reconnaissance
Email AddressesGather Victim Network InformationIP AddressesClient ConfigurationsCode Repositories
Resource development
Virtual Private ServerBotnetWeb ServicesBotnet
Initial access
Exploit Public-Facing ApplicationTrusted Relationship
Execution
PowerShellWindows Command Shell
Persistence
Account ManipulationDomain AccountWeb Shell
Privilege escalation
Exploitation for Privilege Escalation
Credential access
LSASS MemoryNTDSPassword SprayingCloud Secrets Management Stores
Discovery
System Network Configuration DiscoveryInternet Connection DiscoveryRemote System DiscoverySystem Owner/User DiscoveryProcess DiscoveryFile and Directory Discovery
Lateral movement
Application Access Token
Collection
Data from Local SystemRemote Email CollectionAutomated CollectionSharepointData from Cloud StorageArchive via Utility
Command and control
Web ProtocolsNon-Application Layer ProtocolIngress Tool TransferStandard Encoding
Exfiltration
Exfiltration to Cloud Storage
defense-impairment
Clear Windows Event Logs
stealth
Local AccountsCloud AccountsRundll32Hidden Files and Directories

Exploited vulnerabilities 2

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2014-7169CRITICALEPSS 100%KEVCVE-2016-6662EPSS 68%

HAFNIUM uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →