Microsoft Seizes Domains Used by China-Linked APT ‘Nickel’
Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide.
The tech giant took over the websites after filing pleadings with the U.S. District Court for the Eastern District of Virginia, which quickly granted an order in this regard.
While the move will prevent the group’s access to some of its victims, it is unlikely to put an end to Nickel’s activities. However, Microsoft does believe that the infrastructure it just seized was used as part of the group’s most recent wave of attacks.
“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Microsoft says.
In activity Microsoft has been tracking since 2019, Nickel has been using the now seized websites to execute attacks on victims in a total of 29 countries in Europe, Central and South America, the Caribbean, and North America, mostly for harvesting intelligence from government agencies, human rights organizations, and think tanks.
Active since at least 2013 and also tracked as APT15, KE3CHANG, Royal APT, Playful Dragon, and Vixen Panda, the hacking group is likely sponsored by the Chinese government, as its activities often fall in line with China’s geopolitical interests.
The adversary uses vulnerable virtual private network (VPN) appliances (Pulse Secure VPN) and stolen credentials to compromise targets, as well as custom, hard-to-detect malware that helps it with intrusions, surveillance, and data exfiltration.
The threat actor targeted internet-facing web applications on vulnerable, unpatched on-premises Exchange Server and SharePoint systems, but not new vulnerabilities in Microsoft products.
The group was observed gaining long-term access to the target organizations, which allowed it to regularly exfiltrate data of interest, as well as deploying a keylogger to harvest credentials, along with password dumping tools such as Mimikatz, WDigest, NTDSDump, and more.
For command and control purposes, Nickel deployed malware such as Leeson, Neoichor, NullItch, NumbIdea, and Rokum. Of these, Leeson, Neoichor, and NumbIdea rely on Internet Explorer for communication purposes, Microsoft says.
Backdoors deployed by the group can harvest system data (IP address, OS version, language ID, computer name, username), launch processes, download/upload files, and execute shellcode.
“No individual action from Microsoft or anyone else in the industry will stem the tide of attacks we’ve seen from nation-states and cybercriminals working within their borders. We need industry, governments, civil society and others to come together and establish a new consensus for what is and isn’t appropriate behavior in cyberspace,” Microsoft says.
To date, Microsoft filed 24 lawsuits against threat actors, including five against nation-state adversaries, which allowed it to take down roughly 10,000 malicious websites, including 600 employed by state-sponsored hackers. The company says it also blocked the registration of 600,000 additional sites.