Microsoft’s Digital Crimes Unit (DCI) said on Monday that a federal court in Virginia had granted an order allowing the company to take control of the websites and redirect the traffic to Microsoft servers. These malicious websites were being used by a state-sponsored hacking group known as Nickel or APT15, to gather intelligence from government agencies, think tanks, and human rights organizations, according to the company.
Microsoft didn’t name Nickel’s targets but said the group was targeting organizations in the U.S. and 28 other countries. It added that “there is often a correlation between Nickel’s targets and China’s geopolitical interests.”
Microsoft, which has been tracking Nickel since 2016 and previously described it as one of the “most active” hacking groups targeting government agencies, said it observed “highly sophisticated” attacks that installed hard-to-detect malware that facilitates intrusion, surveillance, and data theft. In some cases, Nickel’s attacks used compromised third-party virtual private network (VPN) suppliers and credentials obtained from spear-phishing campaigns, according to Microsoft, and in others, vulnerabilities in Microsoft’s own Exchange Server and SharePoint system were used to infiltrate companies. However, Microsoft noted that it has “not observed any new vulnerabilities in Microsoft products as part of these attacks.”
“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” wrote Tom Burt, Microsoft’s corporate vice president for customer security and trust. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”
In addition to the U.S., Nickel also targeted organizations in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom and Venezuela.
Microsoft said its Digital Crimes Unit, through 24 lawsuits, had taken down more than 10,000 malicious websites used by cybercriminals and almost 600 used by nation-state actors. Earlier this year, the team took control of malicious web domains used in a large-scale cyberattack that targeted victims in 62 countries with spoofed emails.