Microsoft today announced the takedown of hundreds of malicious websites used by Nickel, a China-based hacking gang, to target companies in the United States and 28 other countries across the world. Also known as KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon, Nickel attacked government, diplomatic, and non-governmental organizations (NGOs) servers in 29 countries, mainly in Europe and Latin America.
Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust, stated, “Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, South America, Central America, the Caribbean, Europe, and Africa.” He further said, “We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks, and human rights organizations.”
After a complaint was filed on December 2, the US District Court for the Eastern District of Virginia granted an order, allowing Microsoft to shut down Nickel’s infrastructure (the list of seized domains can be found here).
The domains were transferred “to secure servers by changing the authoritative name servers to NS104a.microsoftintemetsafety.net and NS104b.microsoftintemetsafety.net,” as per the court’s ruling (which also includes a list of confiscated sites). The threat organization behind these malicious domains was initially discovered by Microsoft’s Digital Crimes Unit (DCU) in 2016. They’ve been active since at least 2010, according to Mandiant, who track them as Ke3chang.
Microsoft’s Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU) have spotted it targeting government agencies across Latin America and Europe since 2019. Nickel’s ultimate purpose is to install malware on infected servers that allows its operators to track their victims’ activities, gather data, and exfiltrate it to servers under their control.
These Chinese-backed hackers employ hacked third-party VPN (virtual private network) providers, credentials obtained in spear-phishing attacks, and vulnerabilities targeting unpatched on-premises Exchange Server and SharePoint systems to get into their targets’ networks. Here’s where you can learn more about the hacker group’s harmful activities and signs of compromise, including the domains they used in their attacks.
In August 2018, Microsoft filed 15 identical lawsuits against the Russian-backed organization Strontium (also known as Fancy Bear or APT28), resulting in the seizure of 91 malicious domains.