Microsoft said it took control of servers that a China-based attack group was using to compromise targets consistent with that country’s geopolitical interests.
The hacking group, which Microsoft named Nickel, has been on Microsoft’s radar since at least 2016 and the software company has been tracking an intelligence-gathering campaign that has now been on hiatus since 2019. Attacks — against government agencies, think tanks, and human rights organizations in the United States and 28 other countries — are “very complex,” Microsoft said, and make heavy use of Various techniques, including mining gap in software where the targets are still unpatched.
Down but not out
Last weekend, Microsoft sought a court order to seize websites that Nickel was using to compromise targets. The US District Court for the Eastern District of Virginia made the motion and unsealed the order on Monday. With Nickel’s control of the infrastructure, Microsoft will now “sinkhole“Traffic, meaning it is redirected away from Nickel’s servers and to servers operated by Microsoft, can neutralize the threat and allow Microsoft to gather intelligence about how group activities and their software.
“Gaining control of malicious websites and redirecting traffic from those sites to secure Microsoft servers helps us protect current and future victims and learn more about Nickel’s operations,” Tom Burt, the company’s vice president of customer trust and security, wrote in a blog post. blog post. “Our disruption will not stop Nickel from continuing hack but we believe we have removed a portion of the critical infrastructure the team relied on for this latest wave of attacks. “
Targeted organizations include organizations in both the private and public sectors, including diplomatic organizations and ministries of state in North America, Central America, South America, the Caribbean, Europe, and Europe. Fly. Often, there is a correlation between geopolitical goals and interests in China.
Targeted organizations located in other countries include Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom and Venezuela.
Names other security researchers use for Nickel include KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon.
More than 10,000 websites taken down
Microsoft’s legal action last week was the 24th lawsuit the company has filed against threat actors, five of which are nationally sponsored. Lawsuits have resulted in the takedown of 10,000 malicious websites used by financially motivated hackers and nearly 600 sites used by national hackers. Microsoft also blocked registrations of 600,000 websites that the hackers planned to use in the attacks.
In these lawsuits, Microsoft invoked various federal laws — including the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and U.S. trademark law — as a way to to capture domains used for command and control servers. Legal actions led to the seizure in 2012 of infrastructure used by the Kremlin Fancy Bear hacking group as well as state-sponsored attack groups in Iran, China and North Korea. The software maker has also used lawsuits to disrupt botnets with names like Zeus, Nitol, ZeroAccess, Bamatal, and TrickBot.
A legal action Microsoft took in 2014 resulted in the removal of more than a million legitimate servers based on No-IP.com, resulting in a large number of law-abiding people being unable to access it. benign websites. Microsoft has bitterly dealt with to move.
VPN, stolen credentials, and unmatched servers
In a number of cases, Nickel hacked targets using compromised third-party VPN providers or stolen credentials obtained through online phishing. In other cases, the team exploited a vulnerability that Microsoft patched but the victim still did not have installed in on-premises Exchange Server or SharePoint systems. A separation blog post published by the Microsoft Threat Intelligence Center explained:
MSTIC has observed that NICKEL agents use exploits against unpatched systems to compromise remote access devices and services. After successful infiltration, they used credential stealers or stealers to obtain legitimate login credentials, which they used to gain access to the victim’s account. NICKEL agents have created and deployed custom malware that allows them to persist on the victim network for an extended period of time. MSTIC also observed NICKEL performing regular and scheduled data collection and filtering from victim networks.
