Microsoft Whac-A-Moles Websites of Chinese Hackers APT15 (‘NICKEL’)

Microsoft issued another of its “look how clever we are” press releases yesterday. It claims to be thwarting Chinese hackers it codenames NICKEL.

Redmond’s researchers identified 42 websites allegedly used by the hacker group. Microsoft’s lawyers convinced a court to seize the sites, redirecting the traffic to Microsoft-run sinkhole servers, for analysis.

It’s not the first time we’ve seen Microsoft try this tactic. In today’s SB Blogwatch, we wonder if it actually does any good.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Twisted Mariah.

Vixen Panda, Royal Dragon

What’s the craic? Kellen Browning reports—“Microsoft Seizes 42 Websites From a Chinese Hacking Group”:

One of many ‘groundless attacks’
A federal court in Virginia … granted Microsoft’s request to allow its Digital Crimes Unit to take over the … websites, which were being run by a hacker group known as Nickel or APT15. The company is redirecting the websites’ traffic to … Microsoft servers to “help us protect existing and future victims while learning more about Nickel’s activities.”

Nickel was attacking organizations in 29 different countries and was believed to be using the information … “for intelligence gathering from government agencies, think tanks, universities and human rights organizations,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, said. … Microsoft did not name the organizations … targeted [but said] Nickel has targeted diplomatic organizations and foreign affairs ministries in the Western Hemisphere, Europe and Africa, among other groups.

In July, the Biden administration accused the Chinese government of being responsible for a hacking campaign earlier this year that compromised a Microsoft email service used by some of the world’s largest companies and governments. … The Chinese Embassy said at the time the accusation was one of many “groundless attacks.”

And Dan Goodin adds—“Move allows Microsoft to intercept traffic infected devices send to hacker’s servers”:

Sinkhole
Nickel has been in Microsoft’s sights since at least 2016, and the software company has been tracking the now-disrupted intelligence-gathering campaign since 2019. … Names other security researchers use for Nickel include “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT,” and “Playful Dragon.”

With control of Nickel’s infrastructure, Microsoft will now “sinkhole” the traffic, meaning it’s diverted away from Nickel’s servers and to Microsoft-operated servers. [This] was the 24th lawsuit the company has filed against threat actors [using] the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and US trademark law, as a way to seize domain names.

Who, how, what and why? Microsoft’s PR handlers handle the MSTIC and DSU researchers—“NICKEL targeting government organizations”:

Exfiltration
As China’s influence around the world continues to grow and the nation establishes bilateral relations with more countries and extends partnerships in support of China’s Belt and Road Initiative, we assess that China-based threat actors will continue to target customers in government, diplomatic, and NGO sectors to gain new insights, likely in pursuit of economic espionage or traditional intelligence collection objectives.

MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. NICKEL actors created and deployed custom malware that allowed them to maintain persistence.

NICKEL used compromised credentials to sign into victims’ Microsoft 365 accounts through normal sign-ins with a browser and the legacy Exchange Web Services (EWS) protocol to review and collect victim emails. … In several observed cases, NICKEL was seen performing regular data collection for exfiltration purposes.

Well done Microsoft? SplatMan_DK damns with faint praise:

Here’s hoping
An impressive feat, with a lot of interesting data coming out of it.

I hope Microsoft shares some of their insights with the security community at large. Though sadly, that’s not always a common trend in the industry. … Here’s hoping that security researchers carry more weight at Microsoft than the product managers of Intune, Azure Sentinel and Defender.

Speaking of Azure, this Anonymous Coward is not a fan:

If Microsoft would only do something about the abuse of their Azure platform. They have umpteen different abuse departments and of course the Whois information usually doesn’t actually provide the correct abuse contact information.

However, Freischutz is more supportive:

It’s not as if the people on the receiving end of this didn’t deserve it. … Microsoft seems to be doing a better job here than all the US three letter agencies put together, which might have something to do with Congress (D & R) sitting with its collective thumb up its collective **** fighting the culture wars on Twitter instead of governing the country.

As for criticizing Congress, deet agrees:

This is a commercial interest responding to a commercial threat. The politics is irrelevant until governments, not just Microsoft, do something about it.

But this “Digital Crimes Unit” sounds rather ominous. Tromos agrees:

I’d be a lot happier if MS had a Prevention of Digital Crimes Unit. As it stands, it sounds like they have set up a unit for producing digital crimes—but let’s leave that to the Windows development team.

Meanwhile, @Ymer31214745 quips thuswise:

So I guess Microsoft will not be doing any future business in China?

And Finally:

It’s her again

Hat tip: nospoon

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Pascal Müller (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi