Chinese hacking group hacked 42 websites which are now seized back by Microsoft
The company said in a news release that a federal court in Virginia had granted Microsoft’s request to allow its Digital Crimes Unit to take over the U.S.-based websites, which were being run by a hacker group known as Nickel or APT15. The company is redirecting the websites’ traffic to secure Microsoft servers to “help us protect existing and future victims while learning more about Nickel’s activities.”
Microsoft said it had been tracking Nickel since 2016 and had found that its “highly sophisticated” attacks intended to install unobtrusive malware that allowed for surveillance and data theft.
In this most recent case, Nickel was attacking organizations in 29 countries and was believed to be using the information it collected “for intelligence gathering from government agencies, think tanks, universities and human rights organizations,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, said in the news release. Microsoft did not name the organizations that had been targeted.
In court documents unsealed on Monday, Microsoft provided a detailed explanation of how the hackers targeted users through techniques like compromising third-party virtual private networks and phishing, in which a hacker poses as a trusted entity, often in an attempt to get someone to provide information like a password.
After using those strategies to install malware on a user’s computer, the company said, Nickel would connect the computer with the malicious websites that Microsoft has since seized.
The company argued that the process, because it involved hacking into computers and making changes to Microsoft operating systems and sometimes posing as Microsoft, “involves abuse of Microsoft’s trademarks and brands, and deceives users by presenting an unauthorized, modified version of Windows to those users.”
In its decision, the court agreed to issue a temporary restraining order against the hackers and to turn the websites, which were registered in Virginia, over to Microsoft.
“There is good cause to believe that, unless defendants are restrained and enjoined by order of this court, immediate and irreparable harm will result from the defendants’ ongoing violations,” the court wrote in its decision.
“Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Mr. Burt said.
Microsoft said it had found that the group often targeted regions in which China has a geopolitical interest. Nickel has targeted diplomatic organizations and foreign affairs ministries in the Western Hemisphere, Europe and Africa, among other groups, the company said.
The company said its Digital Crimes Unit, through 24 lawsuits, had taken down more than 10,000 malicious websites used by cybercriminals and almost 600 used by nation-state actors, and had blocked the registration of 600,000 more.
John Hammond, a researcher at the cybersecurity company Huntress Labs, said Microsoft’s move against the websites was a good example of “proactive protection against cybercrime.”
“This action from Microsoft is a fine example of making those pre-emptive efforts before threat actors do more damage,” Mr. Hammond said, adding that it “sends a signal to the aggressor when key infrastructure gets taken offline.”
U.S. cybersecurity agencies have warned that Chinese hacking presents a “major threat” to the United States and its allies.
In July, the Biden administration accused the Chinese government of being responsible for a hacking campaign this year that compromised a Microsoft email service used by some of the world’s largest companies and governments.
Some of the European governments who condemned China at the time accused it of allowing hackers to operate in Chinese territory, but the United States and Britain went a step further, saying the Chinese government was directly responsible.
China’s Ministry of State Security “has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain,” Secretary of State Antony J. Blinken said at the time.
Liu Pengyu, a spokesman for the Chinese Embassy, said at the time that the accusation was one of many “groundless attacks.”