ATK233

Presumed Origin: China < Back

Alias: HAFNIUM

ATK233 (aka HAFNIUM by Microsoft) is the group designated as responsible for the Microsoft Exchange server data breach in 2021.

 

The latter announces that he is "state sponsored and operating out of China".

 

According to the investigative results of Microsotf (the main informant on this group), they are based in China but mainly use virtual private servers based in the United States.

 

Their target during this campaign will have been infectious disease researchers, law firms, higher education institutions, defense entrepreneurs, policy think tanks and NGOs ”.

 

In July 2021, British Foreign Secretary Dominic Raab said the attack was carried out by “Chinese state-backed groups” linked to the Ministry of State Security (MSS). The Chinese government has denied responsibility for the Microsoft breach in 2021.

 

The group is described as "highly skilled and sophisticated".

 

References :

https://blog.talosintelligence.com/2021/03/hafnium-update.html

https://blog.talosintelligence.com/2021/03/threat-advisory-hafnium-and-microsoft.html

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

 

 

REFERENCES

Target sector

  • Defense contractors
  • Healthcare
  • Non-governmental organizations
  • Political
  • Scientific Research and Consulting
  • Universities

Target countries

  • United States Of America

Attack pattern

  • T1505.003 - Web Shell
  • T1595.002 - Vulnerability Scanning

Motivation

  • Cyber Espionage

Malwares

  • Tarrask

Vulnerabilities

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065