Microsoft Gets Court Order to Disrupt Chinese Cyber OpsFirm Can Now Seize Websites Used to Gather Government Intelligence
A U.S. federal court in Virginia has paved the way for technology giant Microsoft to disrupt the activities of China-based hacking group Nickel.
The U.S. District Court for the Eastern District of Virginia granted Microsoft's request to seize websites used by the hacking group to gather intelligence from government agencies, think tanks and human rights organizations in the United States and 28 other countries, according to the company.
Microsoft filed its plea to take control of the websites on Dec. 2.
The order allows the company's Digital Crimes Unit to cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks, says Tom Burt, corporate vice president of customer security and trust at Microsoft.
"Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities," Burt says.
But, he says, the current disruption will not prevent Nickel from continuing other hacking activities.
The disruption of this campaign will be a significant blow to the Chinese government, says Jake Williams, CTO of cybersecurity firm BreachQuest and a former member of the National Security Agency's elite hacking team.
"In particular, the seizure of the domains associated with the Nickel threat actor gives Microsoft the ability to identify additional victims over the coming weeks as malware beacons back to these domains for command and control," he says.
Williams tells ISMG that the techniques used by the threat actor after initial access are "fairly pedestrian." Nickel uses Mimikatz and NTDSDump - tools readily available to penetration testers, he says.
While Nickel has access to tools that are far more capable, the group uses commonplace methods "because they work and can operate to the level of security in target networks," Williams says.
The move will likely have only limited long-term effect against Nickel - or Vixen Panda, as cybersecurity firm CrowdStrike calls the group, says Adam Meyers, senior vice president of intelligence at CrowdStrike. It does, however, give Microsoft an opportunity to collect information about the attackers and their targets, he tells ISMG.
Microsoft, which has been tracking Nickel since 2016 and analyzing this specific activity since 2019, says the attacks use a variety of techniques to achieve one goal: insert hard-to-detect malware that facilitates intrusion, surveillance and data theft.
"Sometimes, Nickel’s attacks used compromised third-party virtual private network suppliers or stolen credentials obtained from spear-phishing campaigns. In some observed activity, Nickel malware used exploits targeting unpatched on-premises Exchange Server and SharePoint systems," Microsoft says.
The company says it created signatures to detect and defend users from known Nickel activity, adding that it has not observed new vulnerabilities in its products as part of these attacks.
Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa, Microsoft says.
"There is often a correlation between Nickel’s targets and China’s geopolitical interests. Others in the security community who have researched this group of actors refer to the group by other names, including Ke3chang, APT15, Vixen Panda, Royal APT and Playful Dragon," the Microsoft blog says (see: Why Hackers Abuse Active Directory).
In addition to the U.S., Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, the Czech Republic, the Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom and Venezuela are among the countries where Nickel has been active.
In July, Microsoft's Digital Crimes Unit received a similar court order that forced domain registrars to disable services on 17 malicious domains used by a cybercrime gang operating out of West Africa to host fake Microsoft websites when conducting business email compromise attacks (see: Microsoft Disrupts Business Email Compromise Domains).
Once Microsoft received the court order, 17 domains were immediately taken down, the company said at the time. The domain names were almost identical to authentic Microsoft corporate websites.
"We filed this case to target the use of homoglyph - or imposter - domains that are increasingly being used in a variety of attacks," the company said at the time.
The Digital Crimes Unit has used this legal strategy against cybercriminals and nation-state hackers in 24 lawsuits, five of which were against nation-state actors, the latest report shows.
To date, the unit has taken down more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors, it says. The unit has also blocked the registration of 600,000 sites to get ahead of criminal actors that planned to use them maliciously in the future, it adds.