APT PROFILE – HAFNIUM

MITRE Techniques

• [T1589.002 ] Gather Victim Identity Information: Email Addresses – Used during reconnaissance to collect targeted email addresses for follow-on access or phishing.
• [T1592.004 ] Gather Victim Host Information: Client Configurations – Hafnium gathers client configuration details to tailor exploitation and post-compromise actions.
• [T1590 ] Gather Victim Network Information – The group maps victim networks to identify targets and lateral movement paths.
• [T1590.005 ] Gather Victim Network Information: IP Addresses – Collection of IP addresses to enumerate and target networked systems.
• [T1593.003 ] Search Open Websites/Domains: Code Repositories – Searching public code repositories to gather intelligence or discover credentials/configurations.
• [T1583.003 ] Acquire Infrastructure: Virtual Private Server – Use of VPS infrastructure to host tooling and C2 services.
• [T1583.005 ] Acquire Infrastructure: Botnet – Utilization or purchase of botnet resources as part of infrastructure acquisition.
• [T1583.006 ] Acquire Infrastructure: Web Services – Use of third-party web services to support operations and hosting.
• [T1584.005 ] Compromise Infrastructure: Botnet – Compromising external infrastructure such as botnets to amplify capabilities.
• [T1199 ] Trusted Relationship – Leveraging trusted relationships (e.g., supply chain partners) for initial access.
• [T1190 ] Exploit Public-Facing Application – Exploitation of SharePoint and other public-facing apps, including CVE-2020-0688 and CVE-2021-26855.
• [T1078.003 ] Valid Accounts: Local Accounts – Use and creation of local valid accounts for access and persistence.
• [T1078.004 ] Valid Accounts: Cloud Accounts – Use of compromised cloud accounts to access cloud resources and move laterally.
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Execution of PowerShell scripts (e.g., Nishang, PowerCat) for command execution and payload delivery.
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Use of Windows shell commands and tools (e.g., PsExec) for execution and lateral movement.
• [T1136.002 ] Create Account: Domain Account – Creation of domain accounts to maintain persistence and elevate access.
• [T1098 ] Account Manipulation – Manipulation of accounts to maintain access and escalate privileges.
• [T1505.003 ] Server Software Component: Web Shell – Deployment of web shells such as ASPXSpy or China Chopper for persistence on web servers (“ASPXSpy”, “China Chopper”).
• [T1068 ] Exploitation for Privilege Escalation – Exploiting vulnerabilities to gain higher privileges on hosts.
• [T1564.001 ] Hide Artifacts: Hidden Files and Directories – Hiding files/directories to evade detection.
• [T1070.001 ] Indicator Removal: Clear Windows Event Logs – Clearing Windows event logs to remove traces of activity.
• [T1218.011 ] System Binary Proxy Execution: Rundll32 – Using system binaries like rundll32 to proxy execution and evade controls.
• [T1550.001 ] Use Alternate Authentication Material: Application Access Token – Abuse of application access tokens and alternate auth material for lateral movement.
• [T1110.003 ] Brute Force: Password Spraying – Credential-stuffing and password-spraying against accounts to gain access.
• [T1555.006 ] Credentials from Password Stores: Cloud Secrets Management Stores – Harvesting credentials from cloud secret stores for access to cloud resources.
• [T1003.001 ] OS Credential Dumping: LSASS Memory – Dumping LSASS memory to extract credentials.
• [T1003.003 ] OS Credential Dumping: NTDS – Dumping NTDS to obtain domain credentials.
• [T1083 ] File and Directory Discovery – Enumerating files and directories to locate sensitive data.
• [T1057 ] Process Discovery – Enumerating running processes to identify defensive or targeted applications.
• [T1018 ] Remote System Discovery – Discovering remote systems for lateral movement opportunities.
• [T1016 ] System Network Configuration Discovery – Mapping system network configuration to plan operations.
• [T1016.001 ] System Network Configuration Discovery: Internet Connection Discovery – Determining internet-facing connections and configurations.
• [T1033 ] System Owner/User Discovery – Identifying system owners and users for targeted collection.
• [T1560.001 ] Archive Collected Data: Archive via Utility – Using archive utilities to compress and prepare data for exfiltration.
• [T1119 ] Automated Collection – Automated collection of files/data for efficiency and scale.
• [T1530 ] Data from Cloud Storage – Collecting sensitive data from cloud storage services.
• [T1213.002 ] Data from Information Repositories: SharePoint – Targeting SharePoint repositories to collect and exfiltrate data (“exploited a security flaw in SharePoint, affecting thousands of servers”).
• [T1005 ] Data from Local System – Collecting files from local systems for exfiltration.
• [T1114.002 ] Email Collection: Remote Email Collection – Remote collection of email content from compromised mail systems.
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 over web protocols for command and control and data transfer.
• [T1132.001 ] Data Encoding: Standard Encoding – Use of standard encoding methods to obfuscate C2 or payload data.
• [T1105 ] Ingress Tool Transfer – Transferring tools into victim environments (ingress of tooling like Covenant, China Chopper).
• [T1095 ] Non-Application Layer Protocol – Use of non-application layer protocols where applicable for C2 or data transfer.
• [T1567.002 ] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Exfiltrating collected data to cloud storage services as a destination.