hafnium

Hafnium, now mapped by Microsoft to Silk Typhoon, is a China-attributed state-sponsored threat actor. The provided content explicitly describes Silk Typhoon as also known as Hafnium, and notes Microsoft’s 2024 taxonomy change mapping HAFNIUM to Silk Typhoon. Reported aliases in the content include Murky Panda, Operation Exchange Marauder, Silk Typhoon, and Timmy. The actor is best known for exploiting four zero-day vulnerabilities in on-premises Microsoft Exchange Server in 2021. Microsoft said Hafnium operated from China, commonly using leased virtual private servers in the United States, and targeted U.S.-based organizations to steal information. Victim sectors and organizations explicitly mentioned in the content include universities and higher education, defense contractors, law firms and legal services, infectious-disease researchers, policy think tanks, NGOs and international aid organizations, state and local governments, healthcare, finance, and the U.S. Department of the Treasury. Additional reporting in the content states that, as of 2024, Silk Typhoon was focused on using stolen credentials to gain access to networks operated by state and local governments. The content attributes to Hafnium/Silk Typhoon a range of post-compromise behaviors and techniques. These include impersonating authorized users after Exchange exploitation; establishing remote control of compromised servers; deploying web shells and other malware; collecting data and files from compromised machines; exporting mailbox data via the Exchange PowerShell module Set-OabVirtualDirectoryPowerShell; abusing service principals to enable data exfiltration; and exfiltrating data to file-sharing sites including MEGA. ATT&CK-style examples in the content also state that HAFNIUM used cmd.exe to execute commands, tasklist to enumerate processes, whoami to gather user information, net group "Domain computers" and nltest /dclist for domain controller discovery, ASCII encoding for C2 traffic, open-source C2 frameworks including Covenant, and hidden scheduled-task persistence via the Tarrask malware. Microsoft Threat Intelligence Center linked Hafnium to Tarrask, describing its use of hidden scheduled tasks, including a task named "WinUpdate," to re-establish command-and-control connectivity while evading Task Scheduler and schtasks visibility. Beyond the 2021 Exchange activity, the content states that Hafnium/Silk Typhoon targeted telecommunications, internet service provider, and data services entities between August 2021 and February 2022, and that Silk Typhoon was linked to the December 2024 U.S. Treasury breach. The content also states that Silk Typhoon has targeted defense, healthcare, higher education, legal services, NGOs, and global IT supply chains, and abused remote-access tools and cloud applications for initial access. One cited report also says employees of i-Soon were named alongside members of China’s APT27, aka Silk Typhoon, but the broader content consistently treats Hafnium/Silk Typhoon as the same China-linked espionage actor.