Microsoft seizes sites used by Chinese state hackers APT15


Microsoft today seized dozens of malicious sites used by hacking group Nickel China to target organizations in the United States and 28 other countries around the world.

In their attacks, the Nickel threat actor (also followed as KE3CHANG, APT15, Vixen Panda, Royal APT and Playful Dragon) compromised the servers of government organizations, diplomatic entities and non-governmental organizations. (NGOs) in 29 countries, mainly from Europe and Latin America.

“Nickel has targeted private and public sector organizations, including diplomatic organizations and foreign ministries from North America, Central America, South America, the Caribbean, Europe and Africa.” said Tom Burt, corporate vice president for customer security and Trust Microsoft.

“We believe these attacks were widely used for intelligence gathering from government agencies, think tanks, and human rights organizations.”

Microsoft was able to dismantle Nickel’s infrastructure after the U.S. District Court for the Eastern District of Virginia issued an order corresponding to the company’s pleadings, filed on December 2.

Microsoft’s Digital Crimes Unit (DCU) first spotted the cluster of threats behind these malicious domains in 2016. Mandiant follows them as Ke3chang and says they have been active since at least 2010.

Since 2019, it has been observed targeting government entities in Latin America and Europe by Microsoft’s Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU).

Nickel’s end goal is to deploy malware to compromised servers, which allows its operators to monitor the activity of their victims, as well as collect data and exfiltrate it to servers under their control.

These China-backed hackers use compromised third-party VPN (Virtual Private Network) providers, stolen credentials in phishing campaigns, and exploits targeting unpatched on-premises Exchange Servers and SharePoint servers to hack their networks. targets.

More information about the hacking group’s malicious activity and indicators of compromise, including the domains used in their attacks, can be found here.

Nickel targets
Nickel Targets (Microsoft)

“To date, in 24 lawsuits – five against state actors – we have removed more than 10,000 malicious websites used by cybercriminals and almost 600 sites used by state actors,” Burt added.

“We were also successful in blocking the registration of 600,000 sites to get ahead of criminal actors who planned to use them maliciously in the future.”

In March 2020, the company took control of the US-based infrastructure that the Necurs spam botnet used to distribute malware payloads and infect millions of computers.

According to Microsoft, before being dismantled, Necurs sent around 3.8 million spam messages to more than 40.6 million targets in just 58 days.

Redmond also sued North Korea-linked cyberespionage group Thallium in December 2019 and seized 50 domains that were part of the hacking group’s malicious domain infrastructure.

Microsoft’s Digital Crimes Unit also disrupted the Iranian-backed APT35 threat actor (aka Charming Kitten, Phosphorus or Ajax Security Team) in December 2019 after taking over the servers used in its cyber attacks.

Previously, Microsoft filed 15 similar cases against Russia-backed group Strontium (aka Fancy Bear or APT28) in August 2018, which led to the seizure of 91 malicious domains.


Comments are closed.