Microsoft claims victory over Beijing in battle of the 42 websites

By Elles Houweling

Microsoft announced a cybersecurity incident and said it seized control of 42 websites that were being used by a Chinese state-backed group known as “Nickel” or APT15. The group allegedly targeted organisations in 29 countries, including the UK and the US.

The Microsoft Digital Crimes Unit (DCU) was granted authorisation by a federal court in Virginia to take over the websites Nickel used to gather intelligence from government agencies, think tanks and human rights organisations, Microsoft said on Monday.

On December 2, the Redmond-based company filed pleadings with the US District Court for the Eastern District of Virginia, seeking authority to take control of the websites. Soon after the court granted an order that was unsealed on Monday.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities.

“Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Microsoft said.

It also added that it had been tracking Nickel since 2016 and had previously described the group as one of the “most active” hacking organisations targeting government agencies. Microsoft observed “highly sophisticated” attacks that installed hard-to-detect malware that facilitates intrusion, surveillance and data theft.

According to the US giant, Nickel’s attacks occasionally used compromised third-party virtual private network (VPN) suppliers or stolen credentials obtained from spear phishing campaigns. In some observed activity, Nickel malware made use of exploits targeting unpatched on-premises Exchange Server and SharePoint systems.

“However, we have not observed any new vulnerabilities in Microsoft products as part of these attacks. Microsoft has created unique signatures to detect and protect from known Nickel activity through our security products,” the company added.

The statement also pointed out that there has been an increase in nation-backed hacking endeavours.

“To date, in 24 lawsuits – five against nation-state actors – we’ve taken down more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors. We have also successfully blocked the registration of 600,000 sites to get ahead of criminal actors that planned to use them maliciously in the future,” it said.

According to Microsoft, Nickel has targeted organisations in both the private and public sectors, including diplomatic ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa. There is often a correlation between Nickel’s targets and China’s geopolitical interests.

Others in the security community who have researched this group of actors refer to the group by other names, including “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT” and “Playful Dragon.”

In addition to the US and UK, the countries in which Nickel has been active include: Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago and Venezuela.

This summer, the US and its allies officially blamed China for a large-scale cyberattack against Microsoft Exchange Servers, which saw tens of thousands of organisations around the world hacked earlier this year.

On March 2, Microsoft revealed that a “state-sponsored” threat actor had used zero-day exploits to gain access to on-premises Microsoft Exchange Servers, giving attackers access to compromised organisations’ emails and address books, along with a launching point to install malware for further attacks.

APT stands for advanced persistent threat, a term used to describe a stealthy threat actor, typically a nation-state or a state-backed group, which gains unauthorised access to a computer network and manages to remain undetected for an extended period of time. These attacks are usually politically motivated.

APT15 has been identified as a threat most likely from China that specifically targets actors in global trade, economic and financial services, energy and military sectors in support of Chinese government interests. The associated malware the organisation uses include ENFAL, BALDEAGLE, NOISEMAKER, MIRAGE.

APT15 typically uses well-developed spear phishing emails for Initial Compromise against global targets in various sectors that are of interest to the Chinese government. Significantly, APT15 use backdoors and infrastructure that is not unique to the group, making attribution challenging.

The countries most commonly associated with cybercrime include Russia, China and Iran, but analysis of the top 10 attack originators over the last five years shows a much broader global picture, says a GlobalData thematic report on cybersecurity.

LexisNexis Risk Solutions, in its July-December 2019 cybercrime report, found that the top 10 attack originators are spread across five continents, with the US, Canada, and the UK joined by growth economies Mexico, India and Bangladesh.

The research highlights how truly global cybercrime has become. Nation-state attacks continue, usually for geopolitical reasons, with Australia warning in June 2020 that its organisations were being targeted by a “state-based cyber actor.”

Microsoft is currently ranked number one on GlobalData’s thematic scorecard in relation to cybersecurity. According to the analysis, the company does particularly well in areas such as endpoint security and identity management.