The naming of cyberthreats and cybergangs has long been a confusing matter, as different reporters and researchers seek out different names, often at least as much in the hope of dominating media coverage as in bringing clarity and objectivity to an already sensationalized field.
HAFNIUM, often written in all-caps despite not being an acronym or abbreviation for anything, comes from Microsoft’s “chemical elements” era, when the tech giant chose funky names from the periodic table to denote cybercrime groups, notably those that appeared to be working on behalf of the government of a sovereign independent state.
So-called state sponsored actors ended up with names including Polonium, Seaborgium, Gallium, Terbium, and Hafnium.
If the media player above doesn’t work in your browser, try clicking here to listen in a new browser tab.
Confused?
You should be, not only because the names actively invite readers to make unwanted inferences about the nature of the threat actors based on the properties of the elements chosen, but also because of the very real risk of ambiguity.
The word Chromium, for example, ended up as the name of the open source parts of Google’s browser project – the core of Chrome, the most widely-used desktop browser in the world by far, and many other browsers besides – and of an allegedly Chinese threat actor group variously known as AQUATIC PANDA, ControlX, RedHotel, BRONZE UNIVERSITY, and Charcoal Typhoon.
Back to Hafnium, which I’ll write as a proper noun from now on so it doesn’t look like internet SHOUTING, and to early 2021.
These threat actors found, bought up, or stumbled upon a series of zero-day security holes in Microsoft Exchange, which was then still widely used as an on-premise mail server.
These holes were used to mount a concerted attack against mail servers worldwide, as investigative journalist Brian Krebs reported in March 2021:
At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations. […]
The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
Once the security holes were identified, Microsoft acted quickly to patch them, but sysadmins who didn’t patch promptly remained vulnerable, whereupon the attackers apparently went out of their way to find and infiltrate any remaining unpatched systems before their bugs became useless.
Once they had access to vulnerable servers, the attackers had hit a seam of cybercrime gold, as one security researcher put it back in 2021:
You don’t need any special knowledge with these exploits. You just show up and say ‘I would like to break in and read all their email.’ That’s all there is to it.
Worse than that, the attackers typically left behind malware files known as webshells on servers they had penetrated, thereby creating secretive backdoors that would let them keep accessing those servers even after they were patched.
The security holes and the methods used in the attacks themselves were quickly dubbed ProxyLogon, a nickname that referred to the nature of one of the bugs, but were also widely, if confusingly, referred to as Hafnium, along with the attackers themselves.
“Are you safe against Hafnium?” thus became a complicated question.
The Hafnium threat actors weren’t limited to using just the Hafnium vulnerabilities; and the Hafnium vulnerabilities, once they became widely known, weren’t limited just to the Hafnium threat actors.
The threat of servers that remained unpatched or infected with webshells even after the ProxyLogon vulnerabilities became widely known was considered so great that the FBI was given a court warrant to counter-hack vulnerable servers in the US, deliberately breaking in “for good” to patch and disinfect them.
Fast forward to today, and Microsoft has changed its naming protocol for cyberthreat groups, introducing a “first name/last name” system based on meteorology rather than the periodic table, so that what used to be Hafnium is now Silk Typhoon, where “typhoon” denotes a China-based group and “silk” is apparently a randomly-chosen noun with no metaphorical or adjectival implications.
(As an example, the Volt Typhoon group doesn’t focus on the power grid, and Salt Typhoon is best known for its association with hacking into telecommunications companies, not for attacking the maritime industry.)
Well, earlier this week, the US Department of Justice announced that two Chinese nationals had been indicted for their alleged role in the Silk Typhoon group, including for the so-called Hafnium/ProxyLogon attacks more than four years ago.
One of them, Zhang Yu, 44, remains at large, but the other, Xu Zewei, now 33, an IT manager in his native China, has been arrested in Italy.
Reports suggest that Xu had traveled to Italy on vacation with his wife; on being dragged into court, he apparently suggested that his identity might have been stolen, but he has nevertheless been remanded in custody and faces extradition to appear in court in America.
If extradited and convicted, Xu faces anywhere from two years to several decades in custody, meaning that his overseas trip could last a lot longer than he expected.
Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of Hafnium shavings by Deglr6328 via Wikimedia Commons under a CC BY-SA 3.0 license.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
