Microsoft disrupts Chinese cyber-espionage group by seizing 42 websites used by hackers

Microsoft announced Monday that it has disrupted the cyber espionage of a state-backed Chinese hacking group by seizing 42 websites used to collect information from state ministries, think tanks and human rights organizations in 29 different countries, including the US.

The company said a federal court in Virginia granted its request last Thursday to seize the domains of the group it calls Nickel, but also known as APT15 and Vixen Panda.

This allowed Microsoft’s Digital Crimes Unit to take over US-based websites and redirect traffic to its secure servers to “help us protect existing and prospective victims and learn more about Nickel’s activities,” the company shared in a press release.

Nickel has targeted organizations in both the private and public sectors, but Microsoft says it has discovered no new vulnerabilities in Microsoft products linked to the attacks.

Scroll down for video

Microsoft announced Monday that it has disrupted the cyber espionage of a state-backed Chinese hacking group by seizing 42 websites used to collect information from state ministries, think tanks and human rights organizations in 29 different countries, including the US.

Microsoft announced Monday that it has disrupted the cyber espionage of a state-backed Chinese hacking group by seizing 42 websites used to collect information from state ministries, think tanks and human rights organizations in 29 different countries, including the US.

Tom Burt, corporate vice president of Microsoft, shard in the after“By taking control of the malicious websites and redirecting those sites’ traffic to Microsoft’s secure servers, we can protect existing and future victims while learning more about Nickel’s activities.

“Our disruption won’t stop Nickel from continuing with other hacking activities, but we do believe we’ve removed a key piece of infrastructure the group relied on for this latest wave of attacks.”

The Microsoft Threat Intelligence Center (MSTIC) has been tracking Nickel since 2016 and has been analyzing this particular activity since 2019.

“The attacks that MSTIC has observed are highly sophisticated and used a variety of techniques, but almost always had one goal: to introduce hard-to-detect malware that enables intrusion, surveillance and data theft,” said Burt.

Nickel has targeted organizations in both the private and public sectors, but Microsoft says it has discovered no new vulnerabilities in Microsoft products linked to the attacks.

Nickel has targeted organizations in both the private and public sectors, but Microsoft says it has discovered no new vulnerabilities in Microsoft products linked to the attacks.

Nickel has targeted organizations in both the private and public sectors, but Microsoft says it has discovered no new vulnerabilities in Microsoft products linked to the attacks.

Microsoft discovered that the attacks used compromised third-party virtual private network (VPN) providers or stolen credentials collected through spear phishing campaigns.

Spearphishing is when hackers use electronic communications to scam people and businesses out of personal data or as a way to install malware on a targeted user’s computer.

MSTIC did observe that nickel malware took advantage of unpatched bugs in Exchange Server and SharePoint systems.

Microsoft says it has created unique signatures to detect and protect known nickel activity through our security products, such as Microsoft 365 Defender.

“Nickel has targeted North America, Central America, South America, the Caribbean, Europe and Africa,” Burt said.

“There is often a link between Nickel’s goals and China’s geopolitical interests. Others in the security community who have researched this group of actors refer to the group by other names, including “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT,” and “Playful Dragon.”

In addition to the US, the countries where Nickel has been active are: Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy , Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom and Venezuela.”

.