The offices of Microsoft's Digital Crimes Unit (DCU), in Redmond, Washington. (Image courtesy Microsoft)

● Microsoft’s Digital Crimes Unit has disrupted the activities of a China-based hacking group called Nickel.

● Countries in which Nickel has been active include: United States, Argentina, Brazil, Chile, Colombia, Dominican Republic, Ecuador, El Salvador, Guatemala, Honduras, Jamaica, Mexico, Panama, Peru, Trinidad and Tobago and Venezuela.

● The observed attacks are very sophisticated and use a variety of techniques.

Microsoft’s Digital Crimes Unit (DCU) has disrupted the activities of a China-based hacking group called Nickel, which Microsoft says has been behind several cyberattacks to cover what is believed to be “intelligence gathering from government agencies, think tanks and human rights organizations”.

Trinidad and Tobago was listed among several countries around the world, including CARICOM Member States, which have been identified as victims of the hacking group’s activities.

An official statement from Microsoft follows…

(MICROSOFT) — The Microsoft’s Digital Crimes Unit (DCU) has disrupted the activities of a China-based hacking group we call Nickel. In documents that were unsealed this week, a Federal Court in Virginia has granted the request to seize the websites Nickel used to attack organizations from the United States, Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom and Venezuela, enabling Microsoft to cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks. Microsoft believe these attacks were largely being used for intelligence gathering from government agencies, think tanks and human rights organizations.

On December 2, Microsoft filed pleadings with the U.S. District Court for the Eastern District of Virginia seeking authority to take control of the sites. The court quickly granted an order that was unsealed today following completion of service on the hosting providers. Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help protect existing and future victims while learning more about Nickel’s activities. Microsoft disruption will not prevent Nickel from continuing other hacking activities, but it removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.

Microsoft’s DCU has been a pioneer in using this legal strategy against cybercriminals and, more recently, against nation-state hackers. To date, in 24 lawsuits—five against nation-state actors—Microsoft took down more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors. Microsoft has also successfully blocked the registration of 600,000 sites to get ahead of criminal actors that planned to use them maliciously in the future.

The offices of Microsoft’s Digital Crimes Unit (DCU), in Redmond, Washington. (Image courtesy Microsoft)

Microsoft’s Threat Intelligence Center (MSTIC) has tracked Nickel since 2016 and has been analyzing this specific activity since 2019. As with any observed activity of a state-nation actor, Microsoft continues to send notifications to customers who have been attacked or compromised, when possible, providing them with the information they need to help protect their accounts.

The attacks MSTIC observed are very sophisticated and use a variety of techniques, but they almost always had one goal: to insert hard-to-detect malware that facilitates intrusion, surveillance, and data theft. Sometimes, Nickel attacks used compromised third-party virtual private network (VPN) providers or stolen credentials obtained from spear phishing campaigns.

In some observed activity, the Nickel malware used exploits targeting unpatched on-premises Exchange Server and SharePoint systems. However, any new vulnerabilities have been observed in Microsoft products as part of these attacks. Microsoft has created unique signatures to detect and protect from known Nickel activity through its security products, such as Microsoft 365 Defender.

Nickel has targeted both public and private sector organizations, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. There is often a correlation between Nickel’s goals and China’s geopolitical interests. Other members of the security community who have researched this group of actors refer to the group by other names, including “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT,” and “Playful Dragon.”

Nation-state attacks continue to proliferate in number and sophistication. Microsoft’s goal, in this case, as in previous disruptions targeting Barium, which operates from China, Strontium, which operates from Russia, Phosphorus, which operates from Iran, and Thallium, which operates from North Korea, is to take down malicious infrastructure, better understand the tactics of actors, protect customers, and inform the broader debate about acceptable norms in cyberspace.

“We will remain relentless in our efforts to improve the security of the ecosystem and we will continue to share the activity we see, regardless of where it originates,” said Tom Burt, corporate vice president of security and customer trust.

Tom Burt says no individual action from Microsoft or anyone else in the industry will stem the tide of attacks we’ve seen from nation-states and cybercriminals working within their borders.

“We need industry, governments, civil society and others to come together and establish a new consensus for what is and is not appropriate behaviour in cyberspace. We are encouraged by recent progress. Last month, the United States and the European Union joined the Paris Call for Trust and Security in Cyberspace, the world’s largest multi-stakeholder confirmation of core principles of cybersecurity with more than 1,200 endorsers,” Burt said.

The Oxford Process has brought together some of the best legal minds to evaluate the application of international law to cyberspace. And the United Nations has taken critical steps to advance dialogue among stakeholders. “It is our responsibility, and that of every entity with the relevant expertise and resources, to do whatever we can to help bolster trust in technology and protect the digital ecosystem.”