Who is Behind the Attack?
The group behind this latest attack, according to Microsoft, is Hafnium, a China-based group which it calls a “highly skilled and sophisticated actor”. The group is Chinese in origin, though activity is carried out via virtual private servers in the United States.
Hafnium has a three-pronged attack strategy when it comes to infiltrating the Microsoft Exchange Server. First, it gains access to the Exchange Server with stolen passwords, or via known vulnerabilities. Then, a web shell is created to control the server remotely. Lastly, this remote access is used to siphon data from the compromised company.
Once established, it’s possible for the hacking group to continue to have unfettered access to the server, and continue siphoning off information indefinitely.
Previously, in instances where Hafnium has gained access to a network, it has moves data to file sharing sites, such as MEGA.