Chinese APT Hafnium Attacking Microsoft Exchange Servers

By Anthony Eich on March 25, 2021

Executive Summary

Volexity, a U.S. based cybersecurity company released information regarding an active hack from a Chinese government backed Advanced Persistent Threat (APT) hacking group known as Hafnium that is specifically targeting on-premises (no cloud servers have been targeted so far) Microsoft Exchange servers [1]. Microsoft confirmed the attacks in a press release on March 2, 2021 in a statement by Tom Burt, the Corporate Vice President, Customer Security & Trust. The servers being targeted are Exchange 2013, 2016, and 2019, and they are being exploited by four zero-day vulnerabilities. It is believed that the attacks began on or about January 6, 2021 but were only recently announced to the public [2]. Microsoft and The US Cybersecurity and Infrastructure Security Agency (CISA) have issued directives to all users of these Microsoft Exchange servers to install emergency patches that have been made available to mitigate the zero-day vulnerabilities [3]. These attacks along with the many other attacks such as the recent “Sunburst” (a.k.a. “SolarWinds Hack”) show a growing effort by nation state sponsored hacking groups to attempt to level a global power struggle that has been traditionally dominated by military might.


Hafnium, prior to this attack, was a known APT but had rarely been discussed openly outside of the cybersecurity realm [4]. As such the group has not yet been classified with an APT number as is customary for well-known threats. However, the group has now made an impact that has gained their organization notoriety on a global scale. The hacking activity that Hafnium has conducted in these 2021 attacks shows just how advanced the group is in their tactics, which leads authorities such as those from Microsoft to classify the group as a nation-state threat actor . It is not known at this time how long the group has been active, and previous attacks have not been widely publicized. According to the press release by Burt,

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.” [2]


The targets of the group have been the on-premises Microsoft Exchange email servers of organizations, meaning that the vulnerabilities that have been used are specific to servers that are physically present within the infrastructure of said organizations, not cloud servers, which limits the scope of the attack but is still a major concern for organizations of any scale that employ the on-premises servers [3]. Because the zero-day attacks have been recorded and added to the MITRE corporation’s Common Vulnerabilities and Exposures list at their https:\\ website as of February 8, 2021 the zero-days are now out in the open for anyone to use. This means that these attacks could have a devastating domino effect while these Exchange Servers remain unprotected by the now-available updates. The list includes: Server-Side Request Forgery CVE-2021-26855; Unified Messaging Service CVE-2021-26857; Post-Authentication Arbitrary File Writing Vulnerabilities CVE-2021-26858; and Post-Authentication Arbitrary File Writing Vulnerabilities CVE-2021-27065 [1]. When these attacks were first propagated, they were deliberate and well hidden, with the Hafnium group being able to exfiltrate entire email inboxes with little to no detection. Now that the group and its activities have been outed, the attacks have become less covert as Hafnium and other bad-actors scramble to grab as much data as they can before the window of opportunity closes as the updates disseminate [5].


As the battlefield of cyber warfare continues to take shape, it is clear that China has decided that this is the realm in which they will be most likely to level the playing field with other global super-powers. While the United States continues to maintain military superiority with its massive defense budget of over $600 billion [6], China has very rapidly invested much of its resources into funding the wide array of hacker groups within its borders. The low cost of funding these hacker groups, with the high rate of return on the secrets stolen primarily from the United States, has made this a highly profitable enterprise for the nation state. Estimates state that China houses more than 40% of the world’s hacking traffic according to a report by ABC News [7] and these attacks show that there is a concerted effort that is well planned and funded that is intended to help China steal its way into a competitive race with the United States and its allies. That being said, the threat is well known, and efforts are continuously under-way to mitigate this type of activity through both defensive and offensive security led by U.S. Government organizations such as CISA and the Federal Bureau of Investigations along with private organizations such as Volexity which will continue to rally against these highly volatile attacks.


  1. Naraine, Ryan. 2021. Microsoft: Multiple Exchange Server Zero-Days Under Attack by Chinese Hacking Group. 03 02. Accessed 03 24, 2021.
  2. Burt, Tom. 2021. New nation-state cyberattacks. 03 02. Accessed 03 25, 2021.
  3. Osborne, Charlie. 2021. CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now. 03 04. Accessed 03 25, 2021.
  4. Krebs, Brian. 2021. Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails. 03 02. Accessed 03 25, 2021.
  5. O’Neill, Patrick Howell. 2021. How China’s attack on Microsoft escalated into a “reckless” hacking spree. 03 10. Accessed 03 25, 2021.
  6. Ioanes, Ellen. 2020. This is how the US and Iran rank among the world’s 25 most powerful militaries. 01 07. Accessed 03 25, 2021.

7. n.d. The 7 Top Hacking Countries. Accessed 03 25, 2021.