Microsoft Has Taken Down Websites Used by APT15 Chinese State Hackers

Microsoft Has Taken Down Websites Used by APT15 Chinese State Hackers

Microsoft today announced the takedown of hundreds of malicious websites used by Nickel, a China-based hacking gang, to target companies in the United States and 28 other countries across the world. Also known as KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon, Nickel attacked government, diplomatic, and non-governmental organizations (NGOs) servers in 29 countries, mainly in Europe and Latin America.

Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust, stated, “Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, South America, Central America, the Caribbean, Europe, and Africa.” He further said, “We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks, and human rights organizations.”

After a complaint was filed on December 2, the US District Court for the Eastern District of Virginia granted an order, allowing Microsoft to shut down Nickel’s infrastructure (the list of seized domains can be found here).

The domains were transferred “to secure servers by changing the authoritative name servers to and,” as per the court’s ruling (which also includes a list of confiscated sites). The threat organization behind these malicious domains was initially discovered by Microsoft’s Digital Crimes Unit (DCU) in 2016. They’ve been active since at least 2010, according to Mandiant, who track them as Ke3chang.

Microsoft’s Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU) have spotted it targeting government agencies across Latin America and Europe since 2019. Nickel’s ultimate purpose is to install malware on infected servers that allows its operators to track their victims’ activities, gather data, and exfiltrate it to servers under their control.

These Chinese-backed hackers employ hacked third-party VPN (virtual private network) providers, credentials obtained in spear-phishing attacks, and vulnerabilities targeting unpatched on-premises Exchange Server and SharePoint systems to get into their targets’ networks. Here’s where you can learn more about the hacker group’s harmful activities and signs of compromise, including the domains they used in their attacks.

In August 2018, Microsoft filed 15 identical lawsuits against the Russian-backed organization Strontium (also known as Fancy Bear or APT28), resulting in the seizure of 91 malicious domains.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.