Not Simon 🐐

Country: People's Republic of China Organization: Ministry of State Security (MSS) Objective: Espionage (Page Last Updated: January 11, 2025)

Aliases:

• HAFNIUM (formerly used by Microsoft) (ETDA, Malpedia, Mitre, Rapid7, Wikipedia)
• Operation Exchange Marauder (Volexity)
• Red Dev 13 (PwC)
• Silk Typhoon (Microsoft)
• UNC2639 (FireEye/Mandiant)
• UNC2640 (FireEye/Mandiant)
• UNC2643 (FireEye/Mandiant)

Links to Other Groups

• APT40 (Hainan State Security Department (HSSD), of the MSS)

Vulnerabilities Exploited

• CVE-2021-40539 (9.8 critical, in CISA's KEV Catalog) Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability Source: Implied to be CVE-2021-40539 by Microsoft
• CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Microsoft

The following four vulnerabilities have the same source: Microsoft

• CVE-2021-26855 (9.1 critical; NVD 9.8, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability (aka ProxyLogon)
• CVE-2021-26857 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability (aka ProxyLogon)
• CVE-2021-26858 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability (aka ProxyLogon)
• CVE-2021-27065 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability (aka ProxyLogon)

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK

Known Tools Used

External link: MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2025

• January 10, 2025 – CNN: Chinese hackers breached US government office that assesses foreign investments for national security risks (news article)
• January 08, 2025 – Bloomberg: White House Rushes to Finish Cyber Order After China Hacks (news article)
• January 06, 2025 – CISA: CISA Update on Treasury Breach (news article)
• January 01, 2025 – Washington Post: Treasury’s sanctions office hacked by Chinese government, officials say (news article)

2024

• December 30, 2024 – New York Times: China Hacked Treasury Dept. in ‘Major’ Breach, U.S. Says (news article)

2022

• April 12, 2022 – Microsoft: Tarrask malware uses scheduled tasks for defense evasion

2021

• December 11, 2021 – Microsoft: Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability
• August 19, 2021 – National Counterintelligence and Security Center: HAFNIUM Compromises MS Exchange Servers (PDF)
• July 19, 2021:
  • U.S. White House: The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China
  • CISA: Mitigate Microsoft Exchange Server Vulnerabilities (ATTRIBUTION)
  • UK Government: UK and allies hold Chinese state responsible for a pervasive pattern of hacking
  • NCSC-UK: UK and allies hold Chinese state responsible for pervasive pattern of hacking
• April 13, 2021 – U.S. Department of Justice: Justice Department Announces Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities
• March 23, 2021 – Rapid7: Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange
• March 11, 2021 – ShadowServer: Shadowserver Special Reports – HAFNIUM Exchange Victims
• March 10, 2021 – FBI: Compromise of Microsoft Exchange Server (PDF)
• March 04, 2021 – FireEye: Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
• March 02, 2021:
  • Microsoft: New nation-state cyberattacks
  • Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
  • Volexity: Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat