clock menu more-arrow no yes

Filed under:

Microsoft says it took over servers being used by China-based hacking group Nickel

New, 6 comments

Microsoft seized control of 42 compromised sites

The Microsoft Digital Crimes Unit (DCU) has seized 42 websites that the China-based hacking group Nickel used to attack organizations in the US, as well as around the world, according to a report on Microsoft’s blog (via Bleeping Computer). Microsoft says that the attacks were likely carried out to gather intelligence from government agencies, think tanks, and human rights groups.

A US District Court in Virginia gave Microsoft permission to take control of the comprised websites on December 2nd, as outlined in the court document (PDF), allowing Microsoft to redirect traffic from those sites to Microsoft’s servers. While this won’t stop Nickel’s attacks completely, Microsoft says it should help “protect existing and future victims while learning more about Nickel’s activities.” You can view the full list of seized websites in this PDF.

Just after the DCU’s move to block Nickel, Google announced a lawsuit against two Russian individuals believed to be responsible for operating the Glupteba botnet. The botnet was reportedly used to infect one million Windows devices. Meanwhile, Google’s CyberCrime Investigation Group and Threat Analysis Group said they teamed up to delete “around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution.”

In Microsoft’s initial complaint (PDF), the company says that Nickel uses a “variety of techniques” to install malware on victims’ computers, including compromising third-party virtual private networks and spear phishing. Due to the nature of Nickel’s attacks, the group is able to exfiltrate sensitive information from the device unbeknownst to the user.

“During the infection of a victim’s computer, Nickel deploys malware designed to make changes at the deepest and most sensitive levels of the computer’s Windows operating system,” Microsoft’s complaint reads. “The consequences of these changes are that the user’s version of Windows is essentially adulterated, and unknown to the user, has been converted into a tool to steal credentials and sensitive information from the user.”

Microsoft says that it’s been tracking Nickel since 2016, noting that the group is also referred to as APT15, KE3CHANG, Vixen Panda, Royal APT, and Playful Dragon. Nickel has targeted diplomatic organizations and ministries of foreign affairs across the world, including countries in North America, South America, Central America, the Caribbean, Europe, and Africa. It also reportedly strikes targets that align with China’s “geopolitical interests.”

With the 24 lawsuits that it has filed so far, Microsoft says that the DCU has shut down a total of over 10,000 compromised websites and blocked the registration of 600,000 potentially malicious sites.

In July, the US (along with several other nations) blamed the Chinese government for the Microsoft Exchange attack that compromised the emails of over 30,000 organizations in the US. Google and Microsoft have since pledged to help the US government bolster its cybersecurity.