Microsoft and other security experts have identified a state-sponsored hacking group called Hafnium, that is operating out of mainland China.

In a blog post, Tom Burt, corporate VP of customer security and trust, said that Hafnium is a highly skilled and sophisticated actor, that “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors.”

Targetted sectors include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.

Mail server hack

And Microsoft Threat Intelligence Center (MSTIC) has identified Hafnium for exploiting flaws in Microsoft mail server software in order to mine email inboxes.

“Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software,” wrote Burt. “The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.”

“Second, it would create what’s called a web shell to control the compromised server remotely,” said Burt. “Third, it would use that remote access – run from the US-based private servers – to steal data from an organisation’s network.”

Burt said that in order to protect customers from the exploits, Microsoft has released security updates that will protect customers running Exchange Server.

“We strongly encourage all Exchange Server customers to apply these updates immediately,” said Burt. “Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.”

Microsoft said that it has briefed appropriate US government agencies on this activity.

“This is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity we disclosed has targeted healthcare organisations fighting Covid-19, political campaigns and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences,” noted Burt.

“We’re grateful to researchers at Volexity and Dubex who notified us about aspects of this new Hafnium activity and worked with us to address it in a responsible way,” said Burt.
Not SolarWinds

Burt was keen to stress that the Hafnium exploits are not connected to the separate SolarWinds attacks.

A US senator and some other figures have blamed a known Microsoft flaw for the SolarWinds supply chain attack.

But Microsoft has denied this.

Microsoft has previously admitted that the SolarWinds hackers had actually accessed and viewed source code repositories within Redmond.

In January multiple US intelligence agencies declared that Russia was the likely culprit of the damaging SolarWinds supply chain compromise.

Chinese reaction

In a separate blog post, cyber-security firm Volexity said that in January it had noticed the hackers use one of the vulnerabilities to remotely steal “the full contents of several user mailboxes.”

China opposes all forms of cyber-attacks, Chinese foreign ministry spokesman Wang Wenbin was quoted by Reuters as saying at a news briefing in Beijing on Wednesday.

“China wishes relevant media and companies take a professional and responsible attitude, and base characterisations of cyber-attacks on ample evidence, rather than groundless guesses and accusations,” he said.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

16 hours ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

16 hours ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

17 hours ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

17 hours ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

18 hours ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

18 hours ago