G0125 · 31 ATT&CK techniques · 2 correlated reports

HAFNIUM

Aliases: Operation Exchange Marauder, Silk Typhoon

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Open interactive actor investigation

ATT&CK techniques

T1592.004
Client Configurations T1105
Ingress Tool Transfer T1583.006
Web Services T1560.001
Archive via Utility T1005
Data from Local System T1033
System Owner/User Discovery T1059.003
Windows Command Shell T1057
Process Discovery T1003.001
LSASS Memory T1590
Gather Victim Network Information T1505.003
Web Shell T1589.002
Email Addresses T1567.002
Exfiltration to Cloud Storage T1114.002
Remote Email Collection T1218.011
Rundll32 T1078.003
Local Accounts T1059.001
PowerShell T1564.001
Hidden Files and Directories T1016.001
Internet Connection Discovery T1016
System Network Configuration Discovery T1590.005
IP Addresses T1083
File and Directory Discovery T1003.003
NTDS T1098
Account Manipulation T1136.002
Domain Account T1071.001
Web Protocols T1018
Remote System Discovery T1190
Exploit Public-Facing Application T1095
Non-Application Layer Protocol T1132.001
Standard Encoding T1583.003
Virtual Private Server

Correlated CTI and IR reports

Malicious Activity as a Statistical Signal: A Detection Engineering Analysis of Anomaly-Based Detection
1200km CTI repository · explicit report mention Malicious Activity as a Statistical Signal A Detection Engineering Analysis of Anomaly Based
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research