EXPLORE
Sign In
← Back to Actors

HAFNIUM

HAFNIUMOperation Exchange MarauderSilk Typhoon

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. [HAFNIUM](https://attack.mitre.org/groups/G0125) has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly oper...

45
Techniques
42
Covered
3
Gaps
93%
Coverage
Coverage42/45

GAPS (3)

T1583.003Virtual Private ServerT1583.005BotnetT1584.005Botnet

COVERED (42)

T1003.001LSASS Memory111 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1016System Network Configuration Discovery39 det.T1016.001Internet Connection Discovery6 det.T1018Remote System Discovery50 det.T1033System Owner/User Discovery61 det.T1057Process Discovery20 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1068Exploitation for Privilege Escalation99 det.T1070.001Clear Windows Event Logs16 det.T1071.001Web Protocols80 det.T1078.003Local Accounts23 det.T1078.004Cloud Accounts167 det.T1083File and Directory Discovery48 det.T1095Non-Application Layer Protocol23 det.T1098Account Manipulation213 det.T1105Ingress Tool Transfer183 det.T1110.003Password Spraying66 det.T1114.002Remote Email Collection18 det.T1119Automated Collection12 det.T1132.001Standard Encoding5 det.T1136.002Domain Account11 det.T1190Exploit Public-Facing Application216 det.T1199Trusted Relationship6 det.T1213.002Sharepoint4 det.T1218.011Rundll3275 det.T1505.003Web Shell63 det.T1530Data from Cloud Storage32 det.T1550.001Application Access Token38 det.T1555.006Cloud Secrets Management Stores8 det.T1560.001Archive via Utility26 det.T1564.001Hidden Files and Directories25 det.T1567.002Exfiltration to Cloud Storage29 det.T1583.006Web Services1 det.T1589.002Email Addresses2 det.T1590Gather Victim Network Information5 det.T1590.005IP Addresses4 det.T1592.004Client Configurations4 det.T1593.003Code Repositories2 det.T1685.005Clear Windows Event Logs11 det.