Jarrett Kolthoff | April 9th, 2021


Thousands of companies have been affected by security vulnerabilities in Microsoft Exchange on-premise servers. The flaws are impacting organizations throughout the industry and beyond as it’s the second mass exploitation in three months.

Hafnium – State-Sponsored Threat

The threat actors responsible for the attacks are suspected to be Hafnium, a People’s Republic of China (PRC) State-Sponsored group. The Hafnium Group is primarily targeting U.S. organizations such as law firms, disease researchers, education, think tanks, and many others in the PRC’s continual effort to steal U.S. intellectual property.

State-Sponsored threats like Hafnium can be dangerous for organizations in the U.S. A State-Sponsored threat is unique in that the threat actors – cyber espionage operators, have the full support of the Chinese government when attacking U.S. companies.

For many threat groups around the world, financial gain is the primary motive for attacking organizations. With the Chinese State-sponsored threat, their primary focus is the theft of intellectual property, more so than the theft of classified U.S. information. Over the past year, popular targets were research facilities which held vaccine information relating to Covid-19. In May, a leading COVID-19 therapeutics institution, Gilead Sciences, was targeted by Chinese threats where threat actors attempted to collect passwords from executives through fake email login pages. In another instance, Johnson & Johnson’s CISO was quoted this past December saying state-sponsored threats were attacking them “every single minute of every single day”.  SpearTip has a long history of conducting counterespionage investigations displaying the PRC’s tradecraft of blending traditional HUMINT and cyber espionage activity by Chinese scientists and state actors. They are often cited as advanced persistent threats (APT) for a reason.

When the Exchange vulnerabilities came to light, Hafnium used an aggressive approach to attacking organizations. By installing web shells, Hafnium threat actors left a backdoor into networks which gave them complete, remote control, the ability to read all emails, and also gave easy access to move laterally across networks to other victim machines. Microsoft’s security team was aware of the vulnerabilities in January but wanted to work to notify all users of the servers before it became public to threat actors to avoid the mass scan and inevitable exploitation. Unfortunately, Hafnium and other threat groups became aware of a published proof-of-concept (PoC) and they began to exploit the vulnerabilities immediately.  Even though the Chinese attacks have become more brazen over the years, the Hafnium exploitation was extremely “noisy” and still a bit out of character.  SpearTip continues to analyze the exploit/impact and follow-on actions that will be leveraged by this group.

If you’re a leader in your organization, imagine what the ramifications would be if people outside your business could access and read company emails. Going through your response process with a security firm and legal team will help you stop these persistent threats. This won’t be the last time thousands of organizations are affected all at once.  Be prepared to act.

All it takes is one exposed vulnerability to ignite a mass-scan by threat actors. Security firms are essential in protection because they have dedicated teams analyzing and unpacking malware to understand how it operates and what the threat actors are trying to accomplish. So, when another large-scale attack happens, think about how your organization is approaching company security.

A continuous 24/7 investigation cycle provides the most impactful action when responding to state-sponsored threats. Understanding their motives, tactics, techniques, and procedures is the only way to be able to stop them.

It’s not your average cybercriminal on the other side of these attacks. It’s a highly sophisticated team of threat actors with malicious intent and the ability to thwart almost all of your general security tools. You need to match that expertise in your proactive defense in order to stop threats from doing damage to your organization and Outmaneuver Your Adversary ®.


Connect With Us

Featured Articles

Cuttlefish Malware
Cuttlefish Malware: A New Threat to Routers and Traffic Monitoring
24 May 2024
Security Awareness Training
Security Awareness Training Crucial Role
22 May 2024
Phishing Campaign Assessments
Phishing Campaign Assessments Can Be Effective For Companies
20 May 2024
Incident Response Planning
Incident Response Planning: Why It's Important
17 May 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Frequently Asked Questions

What are the potential long-term consequences for organizations targeted by state-sponsored threats like Hafnium?

Potential long-term consequences for organizations targeted by state-sponsored threats like Hafnium may include reputational damage, financial losses, loss of sensitive data, legal consequences, and ongoing vulnerability to future attacks. These consequences can vary depending on the nature and extent of the breach, the organization's preparedness and response, and the specific objectives of the state-sponsored threat actors.

Are there any specific industries or sectors that are more likely to be targeted by state-sponsored threats?

Critical infrastructure sectors such as energy, telecommunications, finance, and healthcare have been targeted due to their strategic importance and potential impact on a nation's stability or economy. Additionally, industries involved in sensitive research, defense, or technology development may also be at higher risk.

What are some additional countermeasures or best practices that organizations can implement to protect themselves against state-sponsored threats beyond the ones mentioned in the article?

There are additional measures organizations can consider. These may include regularly updating and patching software systems, implementing multi-factor authentication, conducting regular security assessments and penetration testing, establishing incident response plans, enhancing employee training and awareness programs, and collaborating with cybersecurity agencies and industry peers to share threat intelligence and best practices. Organizations should also consider engaging third-party cybersecurity professionals to perform audits and provide ongoing monitoring and support.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.