Microsoft takes aim at Hafnium over mail server hacks

Microsoft says it has identified “a state-sponsored threat actor” for attacks on its mail server software.

Attack sources were uncovered by the Microsoft Threat Intelligence Centre (MSTIC) and found Hafnium, a Chinese cyber espionage group, to be the culprit. MSTIC called the group “a highly skilled and sophisticated actor”.

How did Hafnium infiltrate Microsoft’s servers?

The company went public in a blog written by Tom Burt, corporate vice president, customer security and trust.

Burt said, “Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits. The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the US-based private servers – to steal data from an organisation’s network.”

What is Hafnium?

According to MSTIC, “Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, Hafnium typically exfiltrates data to file sharing sites like MEGA. In campaigns unrelated to these vulnerabilities, Microsoft has observed Hafnium interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. Hafnium operates primarily from leased virtual private servers (VPS) in the United States.”

Working together on cybercrime

The exploited security holes have now been patched but Burt used the attacks to reiterate the Microsoft’s desire for cybercrime incidents to be reported by law.

He said, “We are encouraged that many organisations are voluntarily sharing data with the world, among each other and with government institutions committed to defence. We’re grateful to researchers at Volexity and Dubex who notified us about aspects of this new Hafnium activity and worked with us to address it in a responsible way. We need more information to be shared rapidly about cyberattacks to enable all of us to better defend against them. That is why Microsoft president Brad Smith recently told the US Congress that we must take steps to require reporting of cyber incidents.”

Burt said there was no link to the recent SolarWinds cyberattack.