Microsoft has cracked down on a China-based hacking group that's behind widespread cyberattacks on government agencies, think tanks and human rights organizations in 29 countries, including the U.S.
The tech company said on Monday it seized 42 websites that were used by the threat group, which is called Nickel, with the aim of cutting off attackers’ access to victims and preventing them from using the sites to execute attacks.
“Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” said Tom Burt, corporate vice president of Customer Security and Trust with Microsoft on Monday.
The Nickel threat group (also known as APT15, Vixen Panda, KE3CHANG, Royal APT and Playful Dragon) has launched highly sophisticated attacks since at least 2010, infecting victims with malware that steals data, facilitates intrusion and conducts surveillance.
Typically, attackers initially infected victims through compromised credentials obtained with spear-phishing; via compromised, third-party virtual private network (VPN) suppliers; or by exploiting known vulnerabilities on unpatched Exchange Server or SharePoint systems. The APT has leveraged several malware families, including the Okrum backdoor, MirageRAT and the Ketrican malware.
Nickel's targets have ranged broadly from diplomatic organizations and ministries of affairs to members of organizations that attempt to maintain world peace. Researchers have observed a frequent correlation between the threat group’s targets and China’s geopolitical interests.
Microsoft on Dec. 2 filed pleadings with the U.S. District Court for the Eastern District of Virginia to take control of the attacker owned sites, arguing in a complaint that the APT’s activities “continue to cause irreparable injury to Microsoft, its customers, and the public” and that the attacks have caused a $5,000 loss to Microsoft during a one-year period. The complaint was filed in this specific state because that’s where the domains maintained by the actor were registered and where some of the victims were targeted, according to Microsoft.
These types of seizures both help Microsoft obtain control of the malicious websites, and also redirect traffic from the sites to Microsoft servers, giving the company better insight into the activities of the APT.
“This is definitely a significant disruption,” said Jake Williams, co-founder and CTO at incident response company BreachQuest. “While the domains can be replaced relatively quickly, multiple tool signatures were released and those will require more effort to replace. Organizations with appropriate telemetry, such as DNS or web proxy logs, can look back historically to determine if they've been targeted as well. As disruption operations go, taking over command and control domains is a worst case scenario.”
Microsoft - and other tech companies, such as Google - have previously relied on this type of legal strategy to disrupt cybercriminal operations. To date, Microsoft has filed 24 similar types of lawsuits that have allowed them to take down 10,000 malicious cybercriminal websites and 600 nation-state actor websites, including infrastructure used by Trickbot, Zeus, Citadel and the Necurs botnet. Google has also disrupted various campaigns and infrastructure associated with cybercriminals, on Tuesday announcing it had disrupted the Glupteba Windows malware.