IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft seizes domains used by Chinese hacking group

The tech giant claimed that there’s often correlation between the group’s targets and China’s geopolitical interests

Microsoft has revealed that it has disrupted the activities of a China-based hacking group it has been tracking since 2016. 

A federal court in Virginia granted the company’s request to seize websites belonging to the group, dubbed Nickel, which was using them to attack organisations in the US and 28 other countries around the world.

Microsoft believes the attacks were largely being used for intelligence gathering from government agencies, think tanks, and human rights organisations.

Microsoft said it had been tracking Nickel since 2016 and analysing the way it has targeted government organisations across Latin America and Europe since 2019. The tech giant said the attacks were highly sophisticated and nearly always had one goal, to insert hard-to-detect malware that facilitates intrusion, surveillance, and data theft.

Sometimes, the attacks used compromised third-party virtual private network suppliers or stolen credentials obtained from spear phishing campaigns. In some observed activity, the malware used exploits targeting unpatched on-premises Exchange Server and SharePoint systems. Microsoft underlined it had not observed any new vulnerabilities in its products as part of the attacks, and has created unique signatures to detect and protect from known Nickel activity in its security products.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” said Tom Burt, Microsoft corporate vice president of Customer Security & Trust.

Related Resource

The truth about cyber security training

Stop ticking boxes. Start delivering real change.

Pair of feet in socks with a chair and plant in the backgroundFree download

“Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”

The tech giant explained that Nickel targeted organisations in both the private and public sectors, including diplomatic organisations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa. It added that there is often a correlation between Nickel’s targets and China’s geopolitical interests.

Other countries in which Nickel has been active include Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom, and Venezuela.

The company added that others in the security community who have researched the group refer to them by different names, including KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022
Microsoft silent patches called “a grossly irresponsible policy”
cyber security

Microsoft silent patches called “a grossly irresponsible policy”

15 Jun 2022

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022