Techniques Used by Hafnium to Target Microsoft Exchange Servers

Summary: On March 2, 2021, Microsoft released multiple security updates to address four zero-day vulnerabilities that are being exploited by Hafnium to attack Microsoft Exchange Servers and steal sensitive information. In this post, we’ve discussed various techniques used by Hafnium to target and compromise Microsoft Exchange Servers in more than 100 countries. We’ve also mentioned an Exchange recovery tool that can help recover mailboxes from a compromised or crashed Exchange Server.

Techniques Used by Hafnium to Target Microsoft Exchange Servers

Hafnium, a cyber-espionage group allegedly sponsored by China, came into the news once again when it started targeting and exploiting the Microsoft Exchange server vulnerabilities in March 2021. It is estimated that Hafnium impacted more than 30,000 organizations and businesses worldwide. Hafnium exploited the Remote Code Execution (RCE) vulnerability, called ProxyLogon, to bypass the security and access the Exchange server without authentication.

After compromising the server, the threat actors installed web shells, malware, and backdoors in the organization’s server and network. These web shells and backdoors were then used to steal sensitive information and data.

In this post, we will learn and understand various tactics and techniques used by Hafnium to target and attack Microsoft Exchange Servers.

Tactics, Techniques, and Procedures used by Hafnium

Hafnium utilized 11 of 14 techniques and tactics of MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) framework to exploit the four 0-day vulnerabilities on on-premises version of the MS Exchange server. The vulnerabilities exploited by Hafnium are as follows:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

These vulnerabilities mainly affected Microsoft Exchange 2013, 2016, and 2019 versions. The CVE-2021-26855 allowed the Hafnium attackers to send arbitrary HTTP requests while CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 vulnerabilities allowed remote code execution (RCE). Following are some exploit tools used by Hafnium to access and control compromised Exchange servers:

  • ProcDump
  • Nishang
  • PowerCat
  • Adfind.exe
  • nbtscan.exe
  • PsExec
  • Covenant
  • 7-Zip
  • WinRar
  • China Chopper
  • Exchange Snapins

Hafnium utilized various techniques to infiltrate the organization’s network and steal confidential business data. The techniques and tactics used by Hafnium are as follows:

1. Reconnaissance (TA0043)

It consists of techniques used for information gathering, such as details of the target organization, to plan and execute the attack. The threat actors scan the target server for vulnerabilities before compromising the server and gather information about the target host. And in this case, Hafnium is only required to know whether the Microsoft Exchange server runs on the target server. If yes, which version.

2. Resource Development

The tactic includes techniques that involve adversaries to create, purchase, or steal resources used for targeting the victim, such as phishing email account, domain, or virtual private servers. Hafnium conducted its attacks and operations from leased Virtual Private Servers (VPS) in the United States. It also used the free and commercial exploit tools mentioned earlier to compromise the server and perform various unauthorized activities.

3. Initial Access

The Initial Access tactic consists of techniques used by attackers, such as spear phishing and exploiting vulnerabilities or weaknesses on the target web server, to gain an initial foothold within a network. Hafnium exploited the four 0-day Microsoft Exchange Server vulnerabilities for initial access.

4. Execution

This tactic includes techniques used to run malicious codes on a local or remote system, explore networks or steal data. Once the threat group has gained access to the victim’s server, they can execute malicious PowerShell scripts and install malware or backdoors. Hafnium installed and used the web shells on the victim’s server to execute malicious code via Windows Command Shell or Command Prompt (CMD.exe).

5. Persistence

The tactic involves techniques where adversaries keep or maintain their foothold on the target server after it’s infiltrated and compromised through system restart, changed passwords, or other interruptions that could cut off the access. Hafnium installed web shells, malware, and backdoors on the victim’s server to keep their foothold on the system. Following are the web shells used by Hafnium to establish persistence on the target server:

  • China Chopper

For backdoors, Hafnium creates a Domain account and grants privileges to these accounts for future attacks.

6. Defense Evasion

This involves techniques used to avoid detection by security tools throughout the compromise. This includes removing or uninstalling security tools, deleting files, masquerading, encrypting data, renaming system utilities, etc. Hafnium used the masquerading technique to deploy the web shells and match legitimate names/locations, such as errorpage.aspx, logout.aspx, etc. By appearing as legitimate, web shells can evade detection by users or security tools.

7. Credential Access

This tactic involves techniques, such as Brute Force, Password Guessing, cracking, spraying, credential stuffing, etc., to steal user account credentials. Hafnium utilized the OC Credential Dumping technique to obtain the credentials of employees. They used the ProcDump command to dump the user credentials. Also, they stole the NTDS.dit file by using the web shells, which is Active Directory Domain Services database containing AD data and information, such as password hashes for all users.

8. Lateral Movement

Lateral Movement techniques involve adversaries taking control of the remote system by exploring the network. Hafnium utilized the PsExec tool for lateral movement on the target Exchange server. PsExec is a legitimate Windows Sysinternals tool often used by threat actors to access and control remote systems.

9. Collection

The adversaries, i.e., Hafnium, use various collection techniques, such as archive via utility to compress and encrypt data. Hafnium used WinRar and 7-zip to compress and encrypt business data on the target environment. It also used the Email Collection technique to access the emails and collect sensitive information using access tokens, valid accounts, or exploits. They further used the Exchange Snap-ins to export mailbox data.

10. Command and Control

It involves techniques used to communicate and control the target server or system. Hafnium took the command and control of the victim’s server by deploying the web shells. The group communicates with these web shells over application layer protocols, i.e., HTTP/HTTPS, and avoids detection or network filtering.

11. Exfiltration

The tactic involves techniques that adversaries use to steal the data from infiltrated or compromised networks while evading detection. This involves techniques to compress/encrypt the data and transfer the data out of the victim’s network. Hafnium utilized the Exfiltration over web service that allows them to upload, modify, and recover files via cloud file-sharing applications, such as


This blog post provides an overview of various tactics and techniques used by Hafnium to target, infiltrate, and compromise the vulnerable Microsoft Exchange Servers. To know if your Exchange server is vulnerable or compromised, follow our guide on Hafnium recovery. However, you may not be able to find and eradicate all the backdoors or web shells installed by the group for remote access. The best way to tackle Hafnium is to install and set up a new identical Exchange server instead of investigating and cleaning the current compromised server. You can use an Exchange recovery software, such as Stellar Repair for Exchange, to extract mailboxes from the database of the compromised Exchange server and export them to a database on the new identical live Exchange Server. The software helps you minimize downtime and automate the mailbox recovery task from a broken or crashed Exchange server with 100% integrity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.