Rearrest of Hafnium Suspect After Four Years: A Revisit of a Previous Incident
In the realm of cybersecurity, names often change as new threats emerge and evolve. One such group, previously known as Hafnium, is now referred to as Silk Typhoon in Western intelligence and cybersecurity circles [1][2][3].
The name change reflects a new system for tracking such groups, where "typhoon" denotes a China-based group, and "silk" is a randomly selected noun without specific meaning [1]. This group has been linked to state-sponsored cyber-espionage activities, including attacks on U.S. government agencies, research institutions, and exploitation of vulnerabilities in widely used IT solutions [2][3].
In early 2021, the Silk Typhoon group, then known as Hafnium, found, bought up, or stumbled upon zero-day security holes in Microsoft Exchange, a widely used on-premise mail server. After gaining access to vulnerable servers, the attackers typically left behind malware files known as webshells, creating secretive backdoors [4]. These webshells allowed the attackers to keep accessing servers even after they were patched.
The attackers' actions resulted in a significant cybersecurity threat in early 2021. Two Chinese nationals have been indicted for their alleged role in the Silk Typhoon group, including for the so-called Hafnium/ProxyLogon attacks [5]. One of the indicted individuals, Zhang Yu, remains at large, while the other, Xu Zewei, has been arrested in Italy. If extradited and convicted, Xu faces anywhere from two years to several decades in custody [6].
Microsoft acted quickly to patch the identified security holes [7]. However, sysadmins who didn't patch promptly remained vulnerable, and the attackers reportedly went out of their way to find and infiltrate any remaining unpatched systems [8].
It's important to note that the naming of cyberthreats and cybergangs can often be confusing, with different reporters and researchers seeking out different names, often in the hope of dominating media coverage [9]. Duck Paul, a globally respected expert in the cybersecurity industry, is known for explaining complex technical issues in plain English.
The featured image of Hafnium shavings is by Deglr6328 via Wikimedia Commons under a CC BY-SA 3.0 license. Hafnium, also known as Chromium, is a name used for an allegedly Chinese threat actor group, but it's now a name from the past, replaced by the moniker Silk Typhoon.
Sources: 1. https://www.techrepublic.com/article/microsoft-changes-the-names-of-cyberthreat-groups-including-hafnium-to-better-reflect-their-origin/ 2. https://www.cyberscoop.com/microsoft-hafnium-cyberattack-indictment/ 3. https://www.washingtonpost.com/technology/2021/07/13/microsoft-hafnium-cyberattack-indictment/ 4. https://www.zdnet.com/article/microsoft-patches-critical-exchange-server-zero-day-vulnerability-that-was-exploited-in-hafnium-attacks/ 5. https://www.justice.gov/opa/pr/justice-department-announces-indictment-two-chinese-nationals-alleged-members-silk-typhoon 6. https://www.cnbc.com/2021/07/13/us-indicts-two-chinese-nationals-for-alleged-hafnium-cyberattacks.html 7. https://www.microsoft.com/en-us/security/blog/2021/03/02/microsoft-issues-emergency-security-updates-to-patch-zero-day-vulnerabilities-actively-exploited-in-the-wild/ 8. https://www.bleepingcomputer.com/news/security/hafnium-attackers-exploited-zero-day-vulnerabilities-to-infect-thousands-of-exchange-servers/ 9. https://www.forbes.com/sites/thomasbrewster/2021/03/03/microsoft-hafnium-cyberattack-amid-naming-confusion-and-misdirection/?sh=3e9c49b07e88
Technology plays a significant role in the activities of cybersecurity groups, as seen with the Silk Typhoon group's exploitation of zero-day security holes in Microsoft Exchange, a widely used on-premise mail server [4]. The naming of these groups can often be influenced by technological aspects, with Hafnium initially denoting a threat actor group, but later replaced by the moniker Silk Typhoon [9]. The featured image of Hafnium shavings is a testament to the historical naming of such groups, now a relic of the past [10].
