Microsoft has announced the seizure of dozens domains used by the Nickel China-based APT group in attacks against government agencies, think tanks and human rights organizations in the U.S. and other 28 countries worldwide.
“Obtaining control of the malicious websites and redirecting traffic fr om those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities. Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Microsoft vice president Tom Burt noted in a blog post.
Burt explained that on December 2, the company filed lawsuits in the US District Court for the Eastern District of Virginia that would allow them to "cut off Nickel's access to its victims and prevent the websites from being used to execute attacks."
Microsoft said it has been tracking Nickel (aka “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT” and “Playful Dragon”) since 2016 and “analyzing this specific activity since 2019”. Described as “highly sophisticated”, the group uses a variety of techniques, as well as hard-to-detect malware that allows them to facilitate intrusion, surveillance and data theft. In some cases the APT group has been observed using compromised third-party virtual private network (VPN) suppliers or stolen credentials obtained from spear phishing campaigns, or exploiting vulnerabilities in unpatched on-premises Exchange Server and SharePoint systems. Although, Microsoft says, its MSTIC team has not observed any attacks wh ere Nickel exploited any new vulnerabilities in Microsoft products.
Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa.
“Nation-state attacks continue to proliferate in number and sophistication. Our goal in this case, as in our previous disruptions that targeted Barium, operating fr om China, Strontium, operating from Russia, Phosphorus, operating from Iran, and Thallium, operating from North Korea, is to take down malicious infrastructure, better understand actor tactics, protect our customers and inform the broader debate on acceptable norms in cyberspace. We will remain relentless in our efforts to improve the security of the ecosystem and we will continue to share activity we see, regardless of wh ere it originates,” Microsoft said.