The tech giant said the hackers belonged to a state-backed group, which was a “highly skilled and sophisticated actor”. In a blog post, Microsoft said the hacking campaign made use of four previously undetected vulnerabilities in different versions of the software. The security flaws allowed the hackers to remotely access email inboxes.
Microsoft’s Threat Intelligence Centre attributed the attacks with “high confidence” to Hafnium, a group assessed to be state-sponsored and operating out of China. It based its conclusion on “observed victimology, tactics and procedures”. Microsoft said Hafnium targets infectious disease researchers, law firms, higher education institutions and defence contractors.
Policy think tanks and non-governmental groups have also been targeted. This is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity we disclosed has targeted healthcare organizations fighting Covid-19, political campaigns and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences. Although Hafnium is based in China, it conducts its operations primarily from leased virtual private servers in the US, Microsoft said. Separately, Microsoft said it has observed Hafnium interacting with users of its Office 365 suite. The company has released software updates aimed at addressing the vulnerabilities in its software. Microsoft said the attack was in no way related to the SolarWinds attack, which hit US government agencies late last year.
Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.
Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits, which are discussed in detail by MSTIC here. The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.