Hafnium

hafnium · primary source: Microsoft · first observed 2020

CN · ChinaState-sponsoredHigh confidence

PRC state-sponsored intrusion set named by Microsoft for the January 2021 mass exploitation of on-prem Exchange Server via the ProxyLogon chain (CVE-2021-26855 / -26857 / -26858 / -27065). Hafnium operated targeted intrusions from leased U.S. VPS infrastructure; after Microsoft's March 2 2021 out-of-band patch dropped, dozens of unrelated actors piled into the vulnerability and shelled ~250,000 internet-exposed Exchange servers globally. Microsoft folded Hafnium into the Silk Typhoon designation in its 2023 weather-system taxonomy.

Aliases

Silk TyphoonMicrosoft

Motivations

espionage

Target sectors

defenseeducationngoslawresearch

Target countries

USGBAU

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

Hafnium
China
espionage

Capability

Infrastructure

—

Victim

defense
education
ngos
US
GB
+1 more

MITRE ATT&CK techniques

T1190 T1505.003 T1059.001 T1114.002

Timeline

0 events

No timeline events recorded yet.

Indicators of compromise

0 indicators

No indicators of compromise have been cataloged for this actor yet.

Related actors

shared ATT&CK techniques

KP · DPRKAndariel2 shared techniques
- T1059.001
- T1190
CN · ChinaAPT402 shared techniques
- T1059.001
- T1190
CN · ChinaAPT412 shared techniques
- T1059.001
- T1505.003
RU · RussiaCadet Blizzard2 shared techniques
- T1059.001
- T1190
?? · UnknownCl0p2 shared techniques
- T1190
- T1505.003
CN · ChinaDeep Panda2 shared techniques
- T1059.001
- T1505.003

References

cite this page

Threat Intel Tracker. (2026-05-19). Hafnium — actor profile. Retrieved from https://threatintel.local/actors/hafnium

no cited activity