Quote:The Hades ransomware gang has several unique characteristics that set it apart from the rest of the pack, according to researchers – including potentially having more than extortion on the to-do list. The group appears to use multiple nation-state tools and techniques.
The researchers said that its investigations into the group’s cyberattacks at the end of 2020 suggest one of two possibilities: There is an advanced persistent threat (APT) is operating under the guise of Hades, possibly Hafnium; or, several different groups coincidentally compromised the same environments, “potentially due to weak security practices in general.”
In one Hades ransomware attack, the Awake team identified a Hafnium domain as an indicator of compromise within the timeline of the Hades attack.
Hafnium is an APT believed to be liked to the Chinese government, which Microsoft identified as carrying out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities now known as ProxyLogon.
“Moreover, this domain was associated with an Exchange server and was being used for command and control in the days leading up to the encryption event,” according to the posting. “Based on [another team’s] analysis this domain was first seen in a Hades attack in December 2020. Clearly at this point the vulnerability in Exchange had not been publicly disclosed but this attack time frame aligns more closely with the DevCore vulnerability discovery date. This clearly provides evidence of the attack prior to January 2021, which has been the consensus until now.”
Read more: Hades Ransomware Gang Exhibits Connection to Hafnium | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
