Threat actor · all actors
HAFNIUMG0125 state
🇨🇳 CN
aka HAFNIUM, Operation Exchange Marauder, Silk Typhoon, ATK233, G0125, Red Dev 13, MURKY PANDA
Last updated: 2026-07-03
About this actor
[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. [HAFNIUM](https://attack.mitre.org/groups/G0125) has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: Microsoft Silk Typhoon MAR 2025)
Source: MITRE ATT&CK
Activity timeline
- 2021 — 3 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2021-26412 | 7.0 | 9.1 | 0.3040 | 2021-03-03 | see CVE |
CVE-2021-27078 | 7.0 | 9.1 | 0.3255 | 2021-03-03 | see CVE |
CVE-2021-26854 | 6.0 | 6.6 | 0.1957 | 2021-03-03 | see CVE |
T1003T1003.001T1003.003T1005T1016T1016.001T1018T1033T1057T1059T1059.001T1059.003T1068T1071T1071.001T1078T1078.003T1078.004T1083T1095T1098T1105T1110T1110.003T1114T1114.002T1119T1132T1132.001T1136T1136.002T1190T1199T1213T1213.002T1218T1218.011T1505T1505.003T1530T1550T1550.001T1555T1555.006T1560T1560.001T1564T1564.001T1567T1567.002T1583T1583.003T1583.005T1583.006T1584T1584.005T1589T1589.002T1590T1590.005T1592T1592.004T1593T1593.003T1685T1685.005
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 40 / 66 | 61% |
CM-6 | 36 / 66 | 55% |
AC-3 | 32 / 66 | 48% |
AC-6 | 30 / 66 | 45% |
CM-2 | 29 / 66 | 44% |
AC-2 | 28 / 66 | 42% |
CA-7 | 26 / 66 | 39% |
IA-2 | 24 / 66 | 36% |
AC-5 | 23 / 66 | 35% |
AC-4 | 22 / 66 | 33% |
CM-7 | 21 / 66 | 32% |
SI-3 | 21 / 66 | 32% |
SI-7 | 21 / 66 | 32% |
SC-7 | 20 / 66 | 30% |
CM-5 | 19 / 66 | 29% |
Co-occurring actors
None.
Similar actors
Similar TTPs
- APT28 0.28
- Magic Hound 0.28
- SolarWinds Compromise 0.26
- Ke3chang 0.25
- Chimera 0.24
Active in same years
- C0018 1.00
- SolarWinds Compromise 1.00
- SharePoint ToolShell Exploitation 1.00
- APT1 1.00
- Deep Panda 1.00
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- C0017 1.00
- Cutting Edge 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00