The Microsoft Digital Crimes Unit (DCU) has disrupted the activities of a China-based hacking group we call Nickel. In documents that were unsealed today, a federal court in Virginia granted our request to seize websites that Nickel was using to attack organizations in the United States and 28 other countries around the world, allowing us to cut off Nickel’s access to its victims and to prevent the website from being used to carry out attacks. We believe these attacks were widely used for intelligence gathering from government agencies, think tanks, and human rights organizations.
On December 2, Microsoft filed petitions with the U.S. District Court for the Eastern District of Virginia seeking permission to take control of the sites. The court quickly issued an order which was unsealed today after the service on hosting providers was completed. Getting control over malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s business. Our disruption will not prevent Nickel from continuing other hacking activities, but we believe we have removed a key piece of the infrastructure the group was relying on for this latest wave of attacks.
Microsoft’s DCU was a pioneer in using this legal strategy against cybercriminals and, more recently, nation-state hackers. To date, in 24 lawsuits – five against state actors – we have removed more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by state actors. We were also successful in blocking the registration of 600,000 sites to get ahead of criminal actors who planned to use them maliciously in the future.
The Microsoft Threat Intelligence Center (MSTIC) has been tracking Nickel since 2016 and analyzing this specific activity since 2019. As with any observed nation-state actor activity, Microsoft continues to notify customers who have been targeted or compromised, in wherever possible, providing them with the information they need to secure their accounts. The attacks observed by MSTIC are very sophisticated and use a variety of techniques but almost always have a goal: to insert hard-to-detect malware that facilitates intrusion, surveillance and data theft. Sometimes Nickel’s attacks used compromised third-party virtual private network (VPN) providers or stolen credentials obtained from spear phishing campaigns. In some observed activities, the Nickel malware used exploits targeting unpatched on-premises Exchange Server and SharePoint systems. However, we did not observe any new vulnerabilities in Microsoft products as a result of these attacks. Microsoft has created unique signatures to detect and protect known Nickel activity through our security products, such as Microsoft 365 Defender.
Nickel has targeted private and public sector organizations, including diplomatic organizations and foreign ministries from North America, Central America, South America, the Caribbean, Europe and Africa. There is often a correlation between Nickel’s targets and China’s geopolitical interests. Other members of the security community who have researched this group of actors refer to the group by other names, including “KE3CHANG”, “APT15”, “Vixen Panda”, “Royal APT” and “Playful Dragon”.
Besides the United States, the countries in which Nickel has been active are: Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic , Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom and Venezuela.
Attacks on nation states continue to proliferate in number and sophistication. Our focus in this case, as in our previous disturbances that targeted barium, operating from China, strontium, operating from Russia, phosphorus, operating from Iran, and thallium, operating from North Korea, is to remove malicious infrastructures, to better understand the tactics of the players. , protect our customers and inform the wider debate about acceptable standards in cyberspace. We will remain tireless in our efforts to improve ecosystem security and we will continue to share the activities that we see, regardless of their origin.
No individual action by Microsoft or anyone in the industry will stop the wave of attacks we have seen from nation states and cybercriminals working within their borders. We need industry, governments, civil society and others to come together and build a new consensus on what is and is not appropriate behavior in cyberspace. We are encouraged by the recent progress. Last month, the United States and the European Union joined the Paris Appeal for Confidence and Security in Cyberspace, the world’s largest multi-party confirmation of cybersecurity fundamentals with more than 1,200 endorsers. The Oxford Process brought together some of the best legal scholars to assess the application of international law to cyberspace. And the United Nations has taken critical steps to advance the dialogue among stakeholders. It is our responsibility, and that of every entity with the appropriate expertise and resources, to do all we can to help build trust in technology and protect the digital ecosystem.
Tags: cyberattacks, cyber fraud, cybersecurity, Digital Crimes Unit, MSTIC, Paris call for trust and security in cyberspace