Microsoft announced on Monday that it has seized 42 websites from a Chinese hacking group in an attempt to stop the group’s intelligence-gathering efforts.
A federal court in Virginia has granted Microsoft’s plea to allow its Digital Crimes Unit to take over the U.S.-based websites that were being managed by a hacking gang known as Nickel or APT15, The harmful operations such as Bronze Palace, Ke3Chang, Mirage, Playful Dragon, and Vixen Panda used by the cybersecurity industry. Since at least 2012, the advanced persistent threat (APT) actor is thought to have been active.
Nickel was discovered using credential dumping tools and stealers like Mimikatz and WDigest to gain an initial foothold, then delivering custom malware that allowed the actor to maintain persistence on victim networks for extended periods of time and conduct regularly scheduled file exfiltration, execute arbitrary shellcode, and collect emails from Microsoft 365 accounts using compromised credentials.
Tom Burt, Microsoft’s Corporate Vice President for Customer Security and Trust reported that ,“Nickel has targeted both private and public sector organisations, including diplomatic organisations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa,”The objectives of Nickel are frequently linked to China’s geopolitical ambitions.” Nickel was allegedly attacking organisations in 29 countries and using the information it gathered.
The latest wave of attacks adds to the APT15 group’s long catalogue of surveillanceware efforts in recent years. In July 2020, mobile security firm Lookout revealed four trojanized legitimate apps — SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle — that were designed to gather and transmit personal user data to adversary-operated command-and-control servers and targeted the Uyghur ethnic minority and the Tibetan community.
According to Microsoft, The cyber attacks were “highly sophisticated” and used a variety of techniques, including breaching remote access services and exploiting vulnerabilities in unpatched VPN appliances, Exchange Server, and SharePoint systems to insert hard-to-detect malware that facilitates intrusion, surveillance, and data theft.
The malicious infrastructure allowed the hacking team to keep long-term access to the compromised machines and carry out attacks for intelligence gathering purposes against unnamed government agencies, think tanks, and human rights organisations as part of a digital espionage campaign that began in September of this year.
Finally MIcrosoft concluded that “We estimate that China-based threat actors will continue to target customers in the government, diplomatic, and NGO sectors to gain new insights, likely in pursuit of economic espionage or traditional intelligence collection objectives.”