Microsoft seizes control of 42 domains used by China-based Nickel hacking group

The company is now directing Nickel's traffic to its own servers

Microsoft says its Digital Crimes Unit (DCU) has taken control of 42 domains that were being operated by a Chinese-based cyber-espionage group to carry out intelligence gathering in the US, as well as around the world.

Microsoft refers to the hacking group as Nickel, stating that its primary aim it to compromise and gather confidential data from government agencies, diplomatic entities, human rights organisations and think tanks.

Last week, the company sought an order from the US District Court for the Eastern District of Virginia to seize domains Nickel was using to infiltrate targets. The court gave Microsoft permission to seize control of the compromised websites, enabling it to divert traffic from Nickel's server to Microsoft's servers.

"Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft's secure servers will help us protect existing and future victims while learning more about Nickel's activities," Tom Burt, Microsoft corporate vice president of customer security and trust, stated in a blog post.

While this won't stop Nickel's activities completely, Microsoft believes they have removed a key piece of the infrastructure that Nickel had been relying on for the latest wave of attacks.

Microsoft said it had been watching the group's activities since at least 2016, and observed some common activity with other threat groups known in the security community as APT15, APT25, and KeChang.

The Microsoft Threat Intelligence Center (MSTIC) started tracking the now-disrupted intelligence-gathering campaign in 2019.

It found that the Nickel had been able to achieve long-term access to several targets, allowing the group to conduct activities such as regularly scheduled exfiltration of data.

Microsoft describes the attacks targeting organisations in the US and 28 other countries as "highly sophisticated". Nickel used a variety of techniques - including spear phishing and compromising third-party virtual private networks (VPNs) - to deploy hard-to-detect malware on victims' machines.

The group's malware is designed to make changes at the deepest levels of the Windows operating system, according to Microsoft.

As a result of these changes, the victim's operating system "is essentially adulterated" while the user remains unaware that their computer has been converted into a tool to steal credentials and sensitive information.

"No individual action from Microsoft or anyone else in the industry will stem the tide of attacks we've seen from nation-states and cybercriminals working within their borders," Microsoft says.

"We need industry, governments, civil society and others to come together and establish a new consensus for what is and isn't appropriate behaviour in cyberspace."

Microsoft says it has filed 24 lawsuits to date against threat actors, enabling the company to shut down a total of over 10,000 compromised websites.

The firm has also blocked the registration of 600,000 potentially malicious sites that hackers had planned to use in attacks.

Last year, Microsoft led a major offensive operation to take down the backend infrastructure of the notorious TrickBot malware botnet that used over 1 million infected systems to spread ransomware and steal financial and personal data.

Other firms that partnered with Microsoft Defender team in the coordinated operation to knock offline the C2 servers of TrickBot included ESET, Symantec, Lumen's Black Lotus Labs, FS-ISAC and NTT.