Microsoft seizes domains used by Chinese hacking group

An image of the Microsoft Digital Crimes Unit (DCU) in the office
(Image credit: Microsoft)

Microsoft has revealed that it has disrupted the activities of a China-based hacking group it has been tracking since 2016.

A federal court in Virginia granted the company’s request to seize websites belonging to the group, dubbed Nickel, which was using them to attack organisations in the US and 28 other countries around the world.

Microsoft believes the attacks were largely being used for intelligence gathering from government agencies, think tanks, and human rights organisations.

Microsoft said it had been tracking Nickel since 2016 and analysing the way it has targeted government organisations across Latin America and Europe since 2019. The tech giant said the attacks were highly sophisticated and nearly always had one goal, to insert hard-to-detect malware that facilitates intrusion, surveillance, and data theft.

Sometimes, the attacks used compromised third-party virtual private network suppliers or stolen credentials obtained from spear phishing campaigns. In some observed activity, the malware used exploits targeting unpatched on-premises Exchange Server and SharePoint systems. Microsoft underlined it had not observed any new vulnerabilities in its products as part of the attacks, and has created unique signatures to detect and protect from known Nickel activity in its security products.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” said Tom Burt, Microsoft corporate vice president of Customer Security & Trust.


The truth about cyber security training

Stop ticking boxes. Start delivering real change.


“Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”

The tech giant explained that Nickel targeted organisations in both the private and public sectors, including diplomatic organisations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa. It added that there is often a correlation between Nickel’s targets and China’s geopolitical interests.

Other countries in which Nickel has been active include Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom, and Venezuela.

The company added that others in the security community who have researched the group refer to them by different names, including KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.