According to a report on Microsoft’s blog, the Microsoft Digital Crimes Unit (DCU) has confiscated 42 websites used by the China-based hacking gang Nickel to attack companies in the United States and around the world.
The assaults were most likely carried out to acquire intelligence from government agencies, think tanks, and human rights organizations, according to Microsoft.
On December 2nd, a US District Court in Virginia granted Microsoft permission to take control of the compromised websites, allowing Microsoft to redirect traffic from those sites to Microsoft’s servers, as detailed in the court document.
While this will not completely stop Nickel’s attacks, Microsoft claims that it will help “protect current and future victims while learning more about Nickel’s activities.” This PDF contains the whole list of confiscated websites.
Nickel utilizes a “variety of approaches” to install malware on victims’ PCs, according to Microsoft’s initial complaint (PDF), including exploiting third-party virtual private networks and spear phishing. Because of the nature of Nickel’s attacks, the gang is able to steal sensitive data from the device without the user’s knowledge.
According to Microsoft’s complaint, “during the infection of a victim’s computer, Nickel executes malware designed to make changes at the deepest and most sensitive levels of the device’s Windows operating system.” “As a result of these alterations, the user’s version of Windows has been virtually polluted, and has been changed into a tool to steal credentials and sensitive information from the user without the user’s knowledge.”
Nickel has been tracked by Microsoft since 2016, and the group is also known as APT15, KE3CHANG, Vixen Panda, Royal APT, and Playful Dragon.
Nickel has targeted diplomatic organizations and foreign affairs ministries in countries throughout the world, including North America, South America, Central America, the Caribbean, Europe, and Africa. It is also said to hit targets that are in line with China’s “geopolitical interests.”
Microsoft claims that the DCU has shut down over 10,000 infected websites and stopped the registration of 600,000 potentially harmful sites with the 24 cases it has brought so far.