Microsoft has announced the seizure of dozens of domains used in attacks by the China-based APT group Nickel on governments and NGOs across Europe, the Americas and the Caribbean.
In two blog posts published on Monday, Microsoft vice president Tom Burt, the Microsoft Digital Crimes Unit and the Microsoft Threat Intelligence Center said they have been tracking Nickel since 2016 and that a federal court in Virginia granted the company’s request to seize websites the group was using to attack organizations in the US and other countries.
Burt explained that on December 2, the company filed lawsuits in the US District Court for the Eastern District of Virginia that would allow them to “cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks.”
“We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks and human rights organizations,” Burt said.
“The court quickly granted an order that was unsealed today following completion of service on the hosting providers. Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities. Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”
The attacks — which involved inserting hard-to-detect malware that enabled intrusions, surveillance and data theft — targeted organizations in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the UK, the US and Venezuela.
The Microsoft Threat Intelligence Center found that sometimes, Nickel was able to compromise VPN suppliers or obtain stolen credentials. At the same time, they took advantage of unpatched Exchange Server and SharePoint systems in other instances.
The company noted that no new vulnerabilities in Microsoft products were used as part of the attacks. But once attackers were inside of a network, they looked for ways to gain access to higher-value accounts or other footholds in the system. Microsoft said they saw Nickel actors using Mimikatz, WDigest, NTDSDump and other password dumping tools during attacks.
“There is often a correlation between Nickel’s targets and China’s geopolitical interests. Others in the security community who have researched this group of actors refer to the group by other names, including ‘KE3CHANG,’ ‘APT15,’ ‘Vixen Panda,’ ‘Royal APT’, and ‘Playful Dragon,'” Burt explained.
“Nation-state attacks continue to proliferate in number and sophistication. Our goal in this case, as in our previous disruptions that targeted Barium, operating from China, Strontium, operating from Russia, Phosphorus, operating from Iran, and Thallium, operating from North Korea, is to take down malicious infrastructure, better understand actor tactics, protect our customers and inform the broader debate on acceptable norms in cyberspace.”
Burt added that so far, Microsoft has filed 24 lawsuits that allowed them to take down more than 10,000 malicious websites from cybercriminals and almost 600 from nation-state groups.
Jake Williams, CTO of BreachQuest, noted that the techniques used by Nickel after initial access are fairly pedestrian, while many of the other tools are readily available and widely used by penetration testers.
“While NICKEL certainly has access to tools that are far more capable, they turn back to these commonplace tools because they work,” Williams said. “That these readily available tools can operate at all speaks to the level of security in target networks.”