Microsoft’s Digital Crimes Unit (DCU) has got a go-ahead from a federal court in Virginia to seize 42 domains used by a Chinese cyber espionage group that the DCU calls “Nickel.” The group used these websites to carry out attacks on specific organisations in the US and 28 other countries.
According to Tom Burt, corporate vice president for customer security and trust, these attacks were being used to gather intelligence from government agencies, think tanks and human rights organisations. The initial pleading was filed with the US District Court for the Eastern District of Virginia on December 2, seeking authority to take control of the sites.
The company believes that while the disruption may not completely derail Nickel, they “have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”
Penny on the Nickel?
The company aims to take control of the malicious websites and redirect traffic to their secure servers to help protect any existing and future victims while at the same time gaining some more insight into Nickel’s activities.
Nickel has previously targeted organisations from both the public and private sectors. There’s often some correlation between Nickel’s targets and China’s geopolitical interests. Apart from the US, the group has targeted organisations in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom and Venezuela.
According to similar industry reports, the victims were being hacked using compromised third-party VPN services or via stolen credentials obtained from multiple spear-phishing campaigns, which are rather common practices with Chinese espionage groups in general.
Nickel went as far as to target diplomatic organisations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa.
Microsoft’s DCU isn’t the only organisation to research the group either. Other security researchers often refer to the group using different names, including “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT”, and “Playful Dragon.”