Microsoft on Monday announced that it had seized 42 websites to collect intelligence from 29 countries’ foreign ministries, think tank and human rights organisations, in order to disrupt the cyber-spying by a Chinese state-supported hacking group.
A Virginia Federal Court granted the request by the company to seize domains from Nickel, which is sometimes also called APT15 or Vixen Panda.
Microsoft’s Digital Crimes Unit was able to seize US-based sites and redirect visitors to their secure servers. This ‘helps us protect current and future victims, while learning more Nickel’s activities’, the company shared in a press statement.
Nickel attacked organizations both in the public and private sectors. Microsoft however claims that it has not found any vulnerabilities in Microsoft products.
Scroll down to see the video
Microsoft Monday announced that it had seized 42 websites to collect intelligence from 29 countries’ foreign ministries, think tank and human rights organisations, in order to disrupt the cyber-spying by a Chinese state-backed hacking group.
Tom Burt (corporate vice president, Microsoft) wrote: ‘Obtaining control from the malicious websites, redirecting traffic on those sites to Microsoft’s secure servers, will help protect existing victims and future victims. We also learn more about Nickel’s activities.
“Our disruption won’t prevent Nickel from continuing hacking activities but we believe that we have removed one key piece of infrastructure the group relied on to support this latest wave.
Microsoft Threat Intelligence Center has been following Nickel since 2016, and analysing this activity since 2019.
Burt said that while the attacks MSTIC detected were highly complex and utilized a range of techniques, they almost always had one goal: inserting hard-to-detect malicious software to facilitate intrusion, surveillance, and data theft.
Nickel targeted both public and private organizations, however Microsoft claims it hasn’t discovered new vulnerabilities in Microsoft products in relation to these attacks.
Microsoft discovered that the attackers used stolen credentials or compromised suppliers of third-party virtual private networks (VPNs) to carry out their attacks.
Spearphishing refers to the use of electronic communications by hackers to deceive people or businesses and install malware on targeted users’ computers.
MSTIC discovered that Nickel malware exploits flaws in SharePoint Server and Exchange Server.
Microsoft states it has developed unique signatures for detecting and protecting against known Nickel activity using our security products such as Microsoft 365 Defender.
Burt said that Nickel has been targeting North America, Central America and South America.
“There’s often a correlation between Nickel’s targets and China’s geopolitical interest. Other members of the security community have also used other names for this actor group, such as KE3CHANG and APT15.
“In addition to the U.S. the countries where Nickel has been active are: Argentina, Barbados and Bosnia and Herzegovina. Brazil, Bulgaria and Chile. Colombia. Czech Republic. Dominican Republic. Ecuador. El Salvador. France. Guatemala. Honduras. Hungary. Italy. Mali. Panama. Peru. Portugal. Switzerland. Trinidad and Tobago. The United Kingdom.