Microsoft deals a severe blow to the activity of the Chinese hacker group known as Nickel . Through a detailed press release issued in recent days, the Redmond company announced that its Digital Crimes Unit (DCU) – the division that for years deals with dismantling botnets and putting a stop to the worrying growth of cybercrime, thanks also to the active collaboration with law enforcement and judicial authorities – has seized 42 websites attributable to the Asian association and used by the latter as a basis for preparing cyber attacks on organizations (in particular government agencies and diplomatic entities) in the United States and around the world. The complete list of seized domains is available at following address .
It all starts with the formal petition presented last December 2 by the Microsoft Digital Crimes Unit to a Virginia district court, with which the American division asked the authority for permission to take control of the websites owned by the Chinese hacker group Nickel . Thanks to the endorsement of the court, Microsoft has thus redirected the traffic of the websites, routing it towards the servers controlled by the same US company. So far, the division has managed to block more than 10,000 malicious websites used by cybercriminals.
The order issued by the authority represents the perfect closing of the circle of a laborious investigation activity started by Microsoft over the years. By the Redmond company's own admission, Nickel had been under surveillance since 2016 , the date that Microsoft's anti-botnet unit first discovered the criminal activity of the hacker group.
Nickel has been active on the web for about a decade with the aim of targeting organizations and companies in the public and private sector, getting their hands on sensitive information and data. Also known under various names (APT15, KE3CHANG, VIxen Panda, Royal APT and Playful Dragon), the group of cybercriminals of Asian origin has moved across the globe and, as highlighted in a passage of the press release, its actions have also interested in Italy .
The modus operandi of Nickel has adapted over the years to the evolution of IT techniques, while maintaining the same basic objective: to convey special malware within company networks in order to steal sensitive data and spy on government agencies and human rights organizations, then taking care to export all this information to the servers under their control. “The malware is designed to make changes to the deeper and more sensitive layers of the computer's operating system,” Microsoft's digital security unit said in a statement.
The DCU noted that the Chinese hacker group was using previous and fixed vulnerabilities in some Microsoft products, including Exchange and SharePoint , using compromised third-party VPN (virtual private network) providers or stolen credentials thanks to special spear campaigns -phishing . Once he found the foothold on the compromised system, Nickel used a keylogger to acquire user credentials on compromised systems: among the password dump tools most popular with hackers are above all Mimikatz, WDigest and NTDSDump. Additionally, Nickel used compromised credentials to log into victims 'Microsoft 365 accounts, leveraging regular browser logins and legacy Exchange Web Services (EWS) protocol to spy on users' email conversations.
The group of cybercriminals used to place the malware in the software paths related to the installation of third-party programs: a trick that allowed to hide the virus well, making the latter look like a real support file necessary for the operation of an application installed by the user. In fact, these were backdoors capable of collecting system information, including IP address, operating system version, system language, PC name and registered user name. They also had basic backdoor functionality, such as starting a process, uploading a file, downloading a file, and running a shellcode in memory.
Microsoft's division has certainly dealt a severe blow to Nickel 's business by removing a key piece of infrastructure that the hacker group has so far relied on to prepare for criminal attacks. Unfortunately, the battle is not yet won and in a passage of the press release, Microsoft Digital Crimes Unit has recommended some operations to protect itself from malicious activities and among these there is the two-factor authentication on the accounts .
