Microsoft has seized 42 domains being used by a Chinese cyber espionage group that has targeted organizations in the U.S. and other countries.The group, called “Nickel” by Microsoft but better known as APT15, has been active since 2010 and is believed to be a state-sponsored hacking group.
Microsoft has been tracking the group for a long time. The group’s primary targets are government agencies, think tanks and human rights organizations, although it has also targeted a broad range of companies.
Microsoft describes APT15’s activities as highly sophisticated, using a variety of techniques. The common theme from the group’s attack was to insert hard-to-detect malware that facilitates intrusion, surveillance and data theft.
Some attacks involved the use of compromised third-party virtual private network suppliers or stolen credentials obtained from spear-phishing campaigns. The group used malware that targeted unpatched on-premises Exchange Server and SharePoint systems in other attacks.
Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities. Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.
The takedown of the Nickel/APT15 is not the first time Microsoft has successfully targeted alleged nation-state-sponsored hacking groups. Previous successful cases involving Microsoft include Thallium from North Korea, Barium, allegedly from China, Strontium from Russia and Phosphorus from Iran.