Microsoft seizes domains used by Chinese cyber-espionage group Nickel (APT15)

Microsoft said today that its legal team has successfully obtained a court warrant that allowed it to seize 42 domains used by a Chinese cyber-espionage group in recent operations that targeted organizations in the US and 28 other countries.

Tracked by Microsoft as Nickel, but also known under other names such as APT15, Mirage, or Vixen Panda, Ke3Chang, and others, the group has been active since 2012 and has conducted numerous operations against a broad set of targets.

Tom Burt, Microsoft VP of Customer Security & Trust, said today that the recent domains had been used for "intelligence gathering" from government agencies, think tanks, and human rights organizations.

Microsoft said it sinkholed the seized domains

Burt said the seized domains were being used to gather information and data from the hacked organizations.

"Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft's secure servers will help us protect existing and future victims while learning more about Nickel's activities," Burt said in a blog post today announcing the company's legal action against Nickel domains.

"Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks," he added.

According to a technical report that accompanied today's legal action announcement, the group's victims had been hacked using compromised third-party virtual private network (VPN) suppliers or stolen credentials obtained from spear-phishing campaigns, which is in tune with similar industry reports detailing recent tactics used by Chinese espionage groups, in general. Exploitation attempts targeted Microsoft Exchange and SharePoint systems, and Pulse Secure VPNs, according to the OS maker.

A copy of the complaint filed by Microsoft is available here, while a list of the 42 seized domains is available here.

Microsoft's fifth legal action against nation-state groups

Last week's legal action also marks the 24th lawsuit Microsoft has filed in recent years against cybercrime and cyber-espionage groups.

Prior to last week's domain seizures, Microsoft had also filed lawsuits that allowed the company to take control of domains previously owned by the SolarWinds hackers, COVID-19 scamming operations, APT35 Iranian hackers, the Necurs botnet, and Thallium, a North Korean cyber-espionage group, and Nigerian BEC scammers.

Five of these previous legal actions targeted state-sponsored espionage groups, and Microsoft said it has now seized more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors.