The Awake Security division of Arista Networks has discovered evidence linking the Hades ransomware gang to Hafnium, the state-sponsored threat actor operating from China that Microsoft says is behind the recent Exchange hacks. 

As they encountered the Hades threat actor, the group appeared to exhibit a number of characteristics that were "at once unlike other ransomware gangs, almost amateurish in a sense, while at the same time showing the type of sophistication and obfuscation that is more the forte of nation-state based advanced persistent threats (APT)," Jason Bevis, VP, Awake Labs, Awake Security, writes. 

Awake also found evidence that the threat actor behind Hades may be after more than a ransom payout and have broader motives.  A few details from the report show how Hades:  

  • Has only executed a small number of attacks, unlike other ransomware actors who go after a higher volume for a higher payout
  • Has been very precise in targeting certain industries, especially those related to automotive supply chain
  • Exfiltrates large amounts of data focused on manufacturing processes
  • Does not disclose the most consequential data when it posts on leak sites (i.e. keeps the “crown jewels” to themselves)
  • Has been uncharacteristically slow to respond to victims seeking to pay ransom

Awake Security discovered tactics, techniques and procedures that can be attributed to multiple sophisticated adversaries including, currently in the news, Hafnium group. Based on a forensic timeline they built across multiple engagements, they believe there is significant evidence that points to one of two possibilities:

  • An advanced threat actor is operating under the guise of Hades;
  •  Multiple independent actors just coincidentally compromised the same environment, potentially due to weak security practices in general.

For the full report, please visit