Microsoft says it seized websites used by China-based hacking group

Microsoft’s Digital Crimes Unit has seized control of 42 websites operated by a China-based hacking group dubbed Nickel, disrupting their ongoing attacks targeting organisations globally, the company said in a blog post.

(Sign up to our Technology newsletter, Today's Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)

The software giant noted that it took down the servers of Nickel, which targeted governments, diplomatic entities, and non-governmental organisations in 29 countries, following a federal court order granting it the permission for seizure.

Also Read | EU antitrust regulator seeks input on Microsoft’s Nuance deal

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” the tech firm said, adding that the disruption will not prevent Nickel from continuing other hacking activities.

The Microsoft Threat Intelligence Center has been tracking Nickel since 2016 and analysing the group’s current operations since 2019.

According to the company, Nickel exploited unpatched systems to compromise remote access services as well as appliances and after gaining access, it obtained legitimate credentials and used them to get into victim accounts.

Also Read | Microsoft: Russia behind 58% of detected state-backed hacks

The group also created and deployed custom malware that allowed it to maintain persistence on victim networks over extended periods, enabling it to perform frequent and scheduled data collection and exfiltration from victim networks, Microsoft explained.

Its implants can collect system information, like IP address, OS version, system language ID, computer name, and signed-in username.

“There is often a correlation between Nickel’s targets and China’s geopolitical interests,” the Redmond-based firm said. “We assess that China-based threat actors will continue to target customers in government, diplomatic, and NGO sectors to gain new insights, likely in pursuit of economic espionage or traditional intelligence collection objectives,” it added.

Also Read | Microsoft says it mitigated one of the largest DDoS attacks

Nickel is referred by other names, such as KE3CHANG, APT15, Vixen Panda, Royal APT and Playful Dragon. Microsoft noted it has created unique signatures to detect and protect from known Nickel activity through its security products.