Microsoft has found that a state-sponsored threat actor operating from China, called Hafnium, is targeting U.S. defense contractors, law firms, policy think tanks, infectious disease researchers and other entitles to steal data by compromising on-premises Exchange Server software.
Tom Burt, corporate vice president for customer security and trust at Microsoft, wrote in a blog post published Tuesday that the Microsoft Threat Intelligence Center discovered that Hafnium carried out its operations through U.S.-based leased virtual private servers.
Hafnium uses three steps to carry out its attacks: gaining access to a server using undetected vulnerabilities and stolen passwords, creating a web shell to remotely control the compromised server and exfiltrating data using remote access.
The company issued security updates to help clients running Exchange Server to protect themselves against Hafnium-led attacks and informed U.S. government agencies on the threat actor's activity.
Burt noted that Microsoft worked with researchers from Dubex and Volexity to address the cyber threat posed by Hafnium.