Microsoft has found that a state-sponsored threat actor operating from China, called Hafnium, is targeting U.S. defense contractors, law firms, policy think tanks, infectious disease researchers and other entitles to steal data by compromising on-premises Exchange Server software.
Tom Burt, corporate vice president for customer security and trust at Microsoft, wrote in a blog post published Tuesday that the Microsoft Threat Intelligence Center discovered that Hafnium carried out its operations through U.S.-based leased virtual private servers.
Hafnium uses three steps to carry out its attacks: gaining access to a server using undetected vulnerabilities and stolen passwords, creating a web shell to remotely control the compromised server and exfiltrating data using remote access.
The company issued security updates to help clients running Exchange Server to protect themselves against Hafnium-led attacks and informed U.S. government agencies on the threat actor“™s activity.
Burt noted that Microsoft worked with researchers from Dubex and Volexity to address the cyber threat posed by Hafnium.