EXPLORE
Sign In
← Back to Actors

HAFNIUM

HAFNIUMOperation Exchange MarauderSilk Typhoon

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. [HAFNIUM](https://attack.mitre.org/groups/G0125) has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly oper...

44
Techniques
41
Covered
3
Gaps
93%
Coverage
Coverage41/44

GAPS (3)

T1583.003Virtual Private ServerT1583.005BotnetT1584.005Botnet

COVERED (41)

T1003.001LSASS Memory105 det.T1003.003NTDS34 det.T1005Data from Local System46 det.T1016System Network Configuration Discovery35 det.T1016.001Internet Connection Discovery6 det.T1018Remote System Discovery46 det.T1033System Owner/User Discovery59 det.T1057Process Discovery18 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1068Exploitation for Privilege Escalation91 det.T1070.001Clear Windows Event Logs15 det.T1071.001Web Protocols74 det.T1078.003Local Accounts23 det.T1078.004Cloud Accounts149 det.T1083File and Directory Discovery48 det.T1095Non-Application Layer Protocol23 det.T1098Account Manipulation186 det.T1105Ingress Tool Transfer170 det.T1110.003Password Spraying65 det.T1114.002Remote Email Collection18 det.T1119Automated Collection11 det.T1132.001Standard Encoding5 det.T1136.002Domain Account9 det.T1190Exploit Public-Facing Application208 det.T1199Trusted Relationship6 det.T1213.002Sharepoint4 det.T1218.011Rundll3273 det.T1505.003Web Shell57 det.T1530Data from Cloud Storage30 det.T1550.001Application Access Token30 det.T1555.006Cloud Secrets Management Stores7 det.T1560.001Archive via Utility24 det.T1564.001Hidden Files and Directories23 det.T1567.002Exfiltration to Cloud Storage27 det.T1583.006Web Services1 det.T1589.002Email Addresses2 det.T1590Gather Victim Network Information4 det.T1590.005IP Addresses4 det.T1592.004Client Configurations3 det.T1593.003Code Repositories2 det.