Hades Ransomware Gang Linked to an Exchange AttackAwake Security Finds Connection Between Hafinum Group and Hades
Researchers at Awake Security say at least one attack launched by the operators of Hades ransomware has a connection to the China-linked Hafnium group waging attacks on vulnerable Exchange servers.
On March 2, when Microsoft issued four patches for vulnerabilities in on-premises Exchange servers, the company said a Chinese gang it dubbed "Hafnium" was responsible for a series of attacks that exploited the flaws. But other researchers have said several cyber gangs were responsible.
As of Thursday, more than 92% of vulnerable servers had been patched or mitigated, Microsoft said in an update (see: Microsoft: Exchange Ransomware Activity 'Limited' So Far).
The Hades Connection
Awake Security made the connection between Hafnium and a Hades ransomware attack while investigating a December 2020 incident. The researchers say they found a Hafnium domain identified as an indicator of compromise within the timeline of a Hades attack.
"The use of a Hafnium IOC within an Exchange environment leads us to make the connection to Hafnium specifically," says Jason Bevis vice president of the Awake Labs unit of Awake Security.
This incident occurred before the security consulting firm DeVCore began investigating the Exchange flaws and then shared the results with Microsoft.
"We only saw this in one of the multiple Hades related-cases we were engaged in," Bevis says. "We do not have any evidence yet on the use of Hades in other Exchange-related attacks. But we are continuing to investigate this."
Crowdstrike disagrees with Awake Security's final analysis, saying that based on code overlap, Hades is a variant of WastedLocker, which would mean it is spread by Evil Corp, also known as Indrik Spider.
"Hades is merely a 64-bit compiled variant of WastedLocker with additional code obfuscation and minor feature changes," Crowdstrike said in a March 17 report.
Bevis counters by saying: “We are aware of the report, and while we have observed IoCs associated with Evil Corp, as the post alludes, we saw a number of other TTPs from other actors."
Code from the TimosaraHackerTerm gang and other groups were also found in the Hades attacks, Awake Security says.
Awake Security's researchers conclude that the attackers behind the Hades ransomware attacks do not use their own malware and may also work with other groups. The attackers focus on hitting a few targets in specific industries, they say.
"We believe the Hades group is leveraging multiple [ransomware-as-a-service] or other groups as part of their attack," Bevis says.
The Hades group focuses many of its attacks on manufacturing firms, specifically those in the automotive supply chain sector located in U.S. Canada, Germany, Luxemburg and Mexico, Awake Security says. The gang also attempts to extract ransom payments, ranging from $5 million to $10 million, the researchers say.
Last week, Accenture reported that a previously unknown group had used Hades ransomware in attacks against three U.S. companies in the transportation, consumer products and manufacturing sectors (see: Hades Ransomware Targets 3 US Companies).
"We believe that the Hades group had a clear motive of targeting a few companies to obtain specific data out of each organization," Bevis says. "Some of this data focused on third-party relationships within the industry, while other data was associated with specific manufacturing product and process development and functions."
The Hades gang steals credentials and related corporate data after moving laterally through the system, identifying accessible shared directories on file servers, the Awake Security report says.
Like many ransomware gangs, the operators behind Hades run sites where they leak some victims' data in an attempt to shame the targets to pay the ransom or run the risk of seeing all their data publicly exposed, Awake Security says.
The researchers also found several instances where the operators of Hades wiped a victim's backup storage system.