Microsoft Seizes Nearly 50 Domains Operated by Chinese Hackers
- By David Lukic
- Published: Dec 23, 2021
- Last Updated: Mar 18, 2022
Microsoft recently announced it seized more than 40 domains owned by hackers in China. The Chinese digital espionage group used the domains to target organizations in the United States and 28 other countries.
How Did Microsoft Seize the Domains?
Microsoft seized the hackers’ domains with a legal warrant. A Virginia federal court issued this warrant. A total of 42 malicious domains were seized.
What do We Know About the Group Behind the Malicious Cyber Activities?
Microsoft representatives have stated the malicious online activities are attributable to a team of hackers known as Nickel. Nickel also operates under the names of APT15, Vixen Panda, Playful Dragon, Ke3Change, Bronze Palace, and Mirage. A Microsoft spokesperson stated the actors responsible for the threatening web domains have been active for nearly a decade.
The hackers targeted groups in the public and private sectors. Those targets were located in a wide array of regions, including nations in North America, South America, Central America, Africa, Europe, and the Caribbean.
Tom Burt, a Corporate Vice President with Microsoft, stated Nickel’s cyber targets align with adversaries to China. Microsoft’s brass believes Nickel is financed by the Chinese government or those interested in advancing the totalitarian nation-state’s interests.
How Were the Attacks Carried Out?
The Nickel hackers used rogue infrastructure to obtain ongoing access to target machines and carry out cyber attacks. The purpose of these cyber-attacks appears to be gathering intelligence from governments, human rights groups, think tanks, and other organizations.
Microsoft representatives describe the Nickel digital attacks as complex. Nickel hackers used several techniques, including obtaining remote access to services. The hackers exploited unpatched VPN appliance weaknesses, including SharePoint and Exchange Server systems. This digital attack inserted latent malware that steals data and tracks activity.
Nickel hackers also deploy tools for credential dumping, including WDigest and Mimikatz stealers. This approach hacks directly into targets’ accounts, transmitting malware to exfiltrate files, gathering emails, and executing shellcode by compromising credentials. The hackers used backdoor families such as Rokum, Leeson, Nulltch, NumbIdea, and Neoichor for command and control.
Why is the Seizure of Nickel Domains Important?
The seizure is important as it appears as though China might finance Nickel’s cyber activities. China’s influence is rapidly expanding across the globe, posing a threat to democracies and human rights worldwide. Microsoft’s decision to proactively seize the domains is a clear sign it will impede hackers’ attempts to harm democratic governments, human rights groups, and others worthy of protection.
