Description
[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. [HAFNIUM](https://attack.mitre.org/groups/G0125) has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: Microsoft Silk Typhoon MAR 2025)
Techniques Used (TTPs)
- T1592.004 — Client Configurations (reconnaissance)
- T1110.003 — Password Spraying (credential-access)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1583.006 — Web Services (resource-development)
- T1560.001 — Archive via Utility (collection)
- T1005 — Data from Local System (collection)
- T1583.005 — Botnet (resource-development)
- T1033 — System Owner/User Discovery (discovery)
- T1213.002 — Sharepoint (collection)
- T1068 — Exploitation for Privilege Escalation (privilege-escalation)
- T1584.005 — Botnet (resource-development)
- T1059.003 — Windows Command Shell (execution)
- T1057 — Process Discovery (discovery)
- T1003.001 — LSASS Memory (credential-access)
- T1530 — Data from Cloud Storage (collection)
- T1119 — Automated Collection (collection)
- T1590 — Gather Victim Network Information (reconnaissance)
- T1505.003 — Web Shell (persistence)
- T1589.002 — Email Addresses (reconnaissance)
- T1555.006 — Cloud Secrets Management Stores (credential-access)
- T1593.003 — Code Repositories (reconnaissance)
- T1567.002 — Exfiltration to Cloud Storage (exfiltration)
- T1114.002 — Remote Email Collection (collection)
- T1218.011 — Rundll32 (defense-evasion)
- T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1059.001 — PowerShell (execution)
- T1070.001 — Clear Windows Event Logs (defense-evasion)
- T1564.001 — Hidden Files and Directories (defense-evasion)
- T1016.001 — Internet Connection Discovery (discovery)
- T1016 — System Network Configuration Discovery (discovery)
- T1590.005 — IP Addresses (reconnaissance)
- T1199 — Trusted Relationship (initial-access)
- T1078.004 — Cloud Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1083 — File and Directory Discovery (discovery)
- T1003.003 — NTDS (credential-access)
- T1098 — Account Manipulation (persistence, privilege-escalation)
- T1136.002 — Domain Account (persistence)
- T1071.001 — Web Protocols (command-and-control)
- T1018 — Remote System Discovery (discovery)
- T1550.001 — Application Access Token (defense-evasion, lateral-movement)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1095 — Non-Application Layer Protocol (command-and-control)
- T1132.001 — Standard Encoding (command-and-control)
- T1583.003 — Virtual Private Server (resource-development)
Total TTPs: 44