Microsoft said Has taken control of a server used by a Chinese hacker group to destroy targets in line with the country’s geopolitical interests.
This hacker group called Nickel by Microsoft has been in Microsoft’s sight since at least 2016. The software company has been tracking the now-interrupted intelligence collection activities since 2019.These attacks-targeting government agencies, think tanks, and humans Microsoft said that the rights organizations in the United States and 28 other countries were “very complex” and used a variety of techniques, including the use of Loopholes In the software that the target has not yet patched.
Down but not out
Later last week, Microsoft sought a court order to seize the website Nickel used to compromise the target. The U.S. District Court for the Eastern District of Virginia approved the motion and cancelled the order on Monday. By controlling Nickel’s infrastructure, Microsoft will now “Tiankeng“Traffic, which means it moved from Nickel’s servers to Microsoft-operated servers, which eliminates threats and allows Microsoft to obtain intelligence about how the organization and its software work.
“Controlling malicious websites and redirecting traffic from these sites to Microsoft’s secure servers will help us protect current and future victims, while learning more about Nickel’s activities,” the company’s customer safety and trust company Vice President Tom Burt wrote in a report. Blog post“Our interruption will not prevent nickel from continuing with other hacker Activity, but we do believe that we have deleted a key part of the infrastructure that the organization has relied on in the latest wave of attacks. “
Target organizations include private and public sector organizations, including diplomatic entities and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. Usually, there is a correlation between goals and China’s geopolitical interests.
Target organizations are located in other countries/regions, including Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali , Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom and Venezuela.
The names other security researchers use for Nickel include “KE3CHANG”, “APT15”, “Vixen Panda”, “Royal APT” and “Playful Dragon”.
More than 10,000 websites have been shut down
The lawsuit filed by Microsoft last week was the company’s 24th lawsuit against threat actors, five of which were sponsored by the state. These lawsuits resulted in the deletion of 10,000 malicious websites used by economically motivated hackers and nearly 600 websites used by nation-state hackers. Microsoft also blocked the registration of 600,000 sites that hackers planned to use for the attack.
In these lawsuits, Microsoft invoked various federal laws—including the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the U.S. Trademark Law—as a way to seize domain names used to command and control servers.Legal action resulted in the confiscation of Kremlin-supported infrastructure in 2012 Fancy Bear hacker group And attack groups supported by countries in Iran, China, and North Korea.The software manufacturer also used lawsuits to sabotage the botnet, such as Zeus, Nitor, Zero access, Bamatar, with Stunt robot.
A legal action taken by Microsoft in 2014 resulted in the shutdown of more than 1 million legitimate servers that rely on No-IP.com, resulting in a large number of law-abiding individuals unable to access benign websites.Microsoft is Scold For mobile.
VPN, stolen credentials and unpatched servers
In some cases, Nickel used compromised third-party VPN providers or stolen credentials obtained through spear phishing to attack targets. In other cases, the organization took advantage of vulnerabilities that Microsoft had patched but the victims had not yet installed on the local Exchange Server or SharePoint system.Independence Blog post The explanation released by the Microsoft Threat Intelligence Center stated:
MSTIC has observed that NICKEL attackers use vulnerabilities against unpatched systems to compromise remote access services and devices. After a successful intrusion, they use credential dumping procedures or stealing procedures to obtain legal credentials, and use these credentials to access the victim’s account. NICKEL attackers created and deployed custom malware that allowed them to remain persistent on the victim network for a long time. MSTIC also observed that NICKEL performed frequent and planned data collection and extraction of data from the victim’s network.
