This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields TQ

Technology quotient - the ability of an individual, team or organization to harness the power of technology

| 3 minutes read

The Hafnium Attack: evolving risk of cyber-attacks for the finance sector

Recently email servers of the European Banking Authority (EBA) were compromised as part of a zero-day exploit cyber-attack. We recently warned of the similar risks posed by wholesale cyber-attacks—attacks on service providers that affect large numbers of organizations at the same time, following significant disruption to the US Government and several companies in connection with the SolarWinds attacks. We consider the EBA zero-day attack and address ongoing challenges in this area.

The Hafnium Attack

On 2 March 2021, Microsoft announced that a Chinese state-sponsored actor known as “Hafnium” had exploited vulnerabilities in the Microsoft Exchange Server email platform to control and access private data from a number of entities in the US and worldwide. On 7 March 2021, the EBA announced in turn that it was one of the victims. The EBA confirmed that attackers may have gained access to personal data, but the full extent of the hack is still unclear. Current estimates are that tens of thousands of firms were affected.

The attack again illustrates the ever-increasing risk of cyber-attacks. The zero-day exploit saw Hafnium target vulnerabilities in the Microsoft software that many companies use for their on-premises systems, and then attack thousands of customers in a separate-but-coordinated way.  It appears to developed intoa free-for-all, with criminal groups taking advantage of the attack.

The incident follows the recent “wholesale” attack against systemic providers of software or security, whose broad customer base offers hackers access to a wide range of private data and potential to cause maximum disruption globally. As regulators have warned, the finance sector is a prime target for actors who seek to cause disruption to multiple entities by targeting important institutions to threaten cyber resilience.

Collateral Risks

Even where financial institutions are not direct targets of attacks, they may be exposed due to outsourcing and/or third-party arrangements with other systemic service providers. Organizations are increasingly expected to account for third-party risk as part of their data governance practices. Recent regulatory guidance on third-party risk management includes the UK Prudential Regulation Authority’s (PRA) outsourcing and third party risk management consultation and the discussion paper published by the Financial Stability Board and updates to guidance on third-party relationships from the Office of the Comptroller of the Currency. In practice, effective allocation of risk and liability with third-party vendors can be difficult to negotiate.

What to do? 

We will continue to offer guidance during 2021 and beyond on the changing landscape in this area; keep an eye on our newsletters and blogs for further updates.


cyber security, litigation