Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Microsoft Seizes Domains Used by China-Linked APT ‘Nickel’

Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide.

Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide.

The tech giant took over the websites after filing pleadings with the U.S. District Court for the Eastern District of Virginia, which quickly granted an order in this regard.

While the move will prevent the group’s access to some of its victims, it is unlikely to put an end to Nickel’s activities. However, Microsoft does believe that the infrastructure it just seized was used as part of the group’s most recent wave of attacks.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Microsoft says.

In activity Microsoft has been tracking since 2019, Nickel has been using the now seized websites to execute attacks on victims in a total of 29 countries in Europe, Central and South America, the Caribbean, and North America, mostly for harvesting intelligence from government agencies, human rights organizations, and think tanks.

Active since at least 2013 and also tracked as APT15, KE3CHANG, Royal APT, Playful Dragon, and Vixen Panda, the hacking group is likely sponsored by the Chinese government, as its activities often fall in line with China’s geopolitical interests.

The adversary uses vulnerable virtual private network (VPN) appliances (Pulse Secure VPN) and stolen credentials to compromise targets, as well as custom, hard-to-detect malware that helps it with intrusions, surveillance, and data exfiltration.

The threat actor targeted internet-facing web applications on vulnerable, unpatched on-premises Exchange Server and SharePoint systems, but not new vulnerabilities in Microsoft products.

Advertisement. Scroll to continue reading.

The group was observed gaining long-term access to the target organizations, which allowed it to regularly exfiltrate data of interest, as well as deploying a keylogger to harvest credentials, along with password dumping tools such as Mimikatz, WDigest, NTDSDump, and more.

For command and control purposes, Nickel deployed malware such as Leeson, Neoichor, NullItch, NumbIdea, and Rokum. Of these, Leeson, Neoichor, and NumbIdea rely on Internet Explorer for communication purposes, Microsoft says.

Backdoors deployed by the group can harvest system data (IP address, OS version, language ID, computer name, username), launch processes, download/upload files, and execute shellcode.

“No individual action from Microsoft or anyone else in the industry will stem the tide of attacks we’ve seen from nation-states and cybercriminals working within their borders. We need industry, governments, civil society and others to come together and establish a new consensus for what is and isn’t appropriate behavior in cyberspace,” Microsoft says.

To date, Microsoft filed 24 lawsuits against threat actors, including five against nation-state adversaries, which allowed it to take down roughly 10,000 malicious websites, including 600 employed by state-sponsored hackers. The company says it also blocked the registration of 600,000 additional sites.

Related: Japan, Vietnam Look to Cyber Defense Against China

Related: CIA Creates Working Group on China as Threats Keep Rising

Related: US Intel Warns China Could Dominate Advanced Technologies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...