Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Microsoft Seizes Domains Used by China-Linked APT ‘Nickel’

Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide.

Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide.

The tech giant took over the websites after filing pleadings with the U.S. District Court for the Eastern District of Virginia, which quickly granted an order in this regard.

While the move will prevent the group’s access to some of its victims, it is unlikely to put an end to Nickel’s activities. However, Microsoft does believe that the infrastructure it just seized was used as part of the group’s most recent wave of attacks.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Microsoft says.

In activity Microsoft has been tracking since 2019, Nickel has been using the now seized websites to execute attacks on victims in a total of 29 countries in Europe, Central and South America, the Caribbean, and North America, mostly for harvesting intelligence from government agencies, human rights organizations, and think tanks.

Active since at least 2013 and also tracked as APT15, KE3CHANG, Royal APT, Playful Dragon, and Vixen Panda, the hacking group is likely sponsored by the Chinese government, as its activities often fall in line with China’s geopolitical interests.

The adversary uses vulnerable virtual private network (VPN) appliances (Pulse Secure VPN) and stolen credentials to compromise targets, as well as custom, hard-to-detect malware that helps it with intrusions, surveillance, and data exfiltration.

The threat actor targeted internet-facing web applications on vulnerable, unpatched on-premises Exchange Server and SharePoint systems, but not new vulnerabilities in Microsoft products.

Advertisement. Scroll to continue reading.

The group was observed gaining long-term access to the target organizations, which allowed it to regularly exfiltrate data of interest, as well as deploying a keylogger to harvest credentials, along with password dumping tools such as Mimikatz, WDigest, NTDSDump, and more.

For command and control purposes, Nickel deployed malware such as Leeson, Neoichor, NullItch, NumbIdea, and Rokum. Of these, Leeson, Neoichor, and NumbIdea rely on Internet Explorer for communication purposes, Microsoft says.

Backdoors deployed by the group can harvest system data (IP address, OS version, language ID, computer name, username), launch processes, download/upload files, and execute shellcode.

“No individual action from Microsoft or anyone else in the industry will stem the tide of attacks we’ve seen from nation-states and cybercriminals working within their borders. We need industry, governments, civil society and others to come together and establish a new consensus for what is and isn’t appropriate behavior in cyberspace,” Microsoft says.

To date, Microsoft filed 24 lawsuits against threat actors, including five against nation-state adversaries, which allowed it to take down roughly 10,000 malicious websites, including 600 employed by state-sponsored hackers. The company says it also blocked the registration of 600,000 additional sites.

Related: Japan, Vietnam Look to Cyber Defense Against China

Related: CIA Creates Working Group on China as Threats Keep Rising

Related: US Intel Warns China Could Dominate Advanced Technologies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights