APT PROFILE – HAFNIUM

Hafnium is a Chinese state-sponsored advanced persistent threat (APT) group, also referred to as Silk Typhoon, and is known for sophisticated cyber espionage targeting critical sectors worldwide. The group operates under the sponsorship of China’s Ministry of State Security (MSS) and utilizes both advanced attack techniques and layered relationships with contracted technology firms for operational support.

Alias:
MURKY PANDA, Silk Typhoon

Motivation:
Espionage

Target Technologies:
Microsoft SharePoint, Citrix Netscaler, Cloud Infrastructure, Commvault Web Server, Office Suites Software, Operating System, Web Application.

Tools Used:
Covenant, Impacket, PsExec, Nishang, PowerCat, Archive Utilities, China Chopper, ASPXSpy.

Malware used by the Hafnium:
Tarrask, PlugX, and Whitebird.

Targeted Countries:
The United States of America, the United Kingdom, Australia, Japan, Vietnam, Cañada, and Mexico.

Targeted Industries

HAFNIUM/Silk Typhoon Attack Flow

Recently Exploited Vulnerabilities by the Hafnium

• CVE-2020-0688
• CVE-2021-26855

Hafnium’s Recent Campaign Highlights and Trends

Recent Campaign Highlights

• SharePoint Vulnerability Exploitation: Recently, Silk Typhoon exploited a security flaw in SharePoint, affecting thousands of servers.
• Supply Chain & IoT Threats: Recent campaigns show Hafnium leveraging SEO poisoning (malicious software download links ranked on search engines), cloud service abuse, and a growing interest in compromising supply chains and IoT networks for access and persistent intelligence gathering.
• Multi-Tier Contracting Model: Investigations reveal that Hafnium often acts through a network of nominally private Chinese firms, which develop specialized cyber offensive tools and conduct operations as government contractors. This approach complicates attribution and lets the group field a broader, more sophisticated array of capabilities.

Trends and Tactics

• Intrusive Forensics and Data Collection: Hafnium’s new tools focus on encrypted data acquisition, remote device access (including Apple and mobile platforms), and rapid digital forensics—even on physically secured endpoints—expanding the threat surface beyond traditional server/PC environments.
• Continued Exploitation of Zero-Days: The group maintains heavy reliance on exploiting zero-day vulnerabilities in widely deployed enterprise products, including email servers, network appliances, and smart/IoT controllers.
• Cloud and Credential Abuse: Attacks increasingly involve weak or compromised cloud credentials, insufficient cloud monitoring, and lateral movement through cloud instances, reflecting evolving cloud-oriented intrusion techniques.

Sector Focus

• Hafnium’s 2025 targeting scope remains global, prioritized toward defense, policy institutes, higher education, medical research, and sectors with extensive proprietary or strategic data.
• Increasing attention is given to industries with essential infrastructure and IoT dependencies, reflecting a shift to disrupt and exfiltrate from companies with complex supply chains.

TTPs based on MITRE ATT&CK Framework