Microsoft seized a number of websites that were being used by a China-based hacking firm to carry out cyberattacks against organizations in the United States and 28 other countries around the world, the company announced on Monday.
In a news release, the technology corporation said that a federal court in Virginia had granted Microsoft’s Dec. 2 request to allow its Digital Crimes Unit to seize the U.S.-based websites, which were being run by a hacker group known as Nickel, APT15, orVixen Panda, and stop them from carrying out such attacks.
Microsoft said it has been tracking Nickel since 2016 and monitoring these specific operations since 2019.
“We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks, and human rights organizations,” Microsoft’s corporate vice president of customer security and trust, Tom Burt, said.
The company is redirecting the websites’ traffic to secure Microsoft servers to “help us protect existing and future victims while learning more about Nickel’s activities.”
However, Burt noted that “our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”
The hackers’ “highly sophisticated” attacks use a variety of techniques but often consist of installing inconspicuous malware that allows for data theft and surveillance.
“Sometimes, Nickel’s attacks used compromised third-party virtual private network (VPN) suppliers or stolen credentials obtained from spear-phishing campaigns,” Burt said. “In some observed activity, Nickel malware used exploits targeting unpatched on-premises Exchange Server and SharePoint systems. However, we have not observed any new vulnerabilities in Microsoft products as part of these attacks.”
Microsoft has created “unique signatures to detect and protect from known Nickel activity” through its various security products, such as the Microsoft 365 Defender.
The hackers’ attacks targeted both organizations in the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa.
“There is often a correlation between Nickel’s targets and China’s geopolitical interests,” Microsoft said.
Microsoft said it will continue to “take down malicious infrastructure, better understand actor tactics, protect our customers and inform the broader debate on acceptable norms in cyberspace,” but acknowledged that it alone cannot prevent such attacks from cybercriminals.
The tech giant called on others operating within the industry, as well as governments and civil society to “come together and establish a new consensus for what is and isn’t appropriate behavior in cyberspace.”
So far, the company said its Digital Crimes Unit, through 24 lawsuits—five of which were against nation-state actors—had taken down more than 10,000 malicious websites used by cybercriminals and almost 600 used by nation-state actors, and had blocked the registration of 600,000 more.
The Biden administration and U.S. cybersecurity agencies have warned that hacking by the People’s Republic of China’s (PRC) presents a “major threat” to the United States and its allies.
In July, the administration accused the Chinese government of being behind a hacking campaign against Microsoft, which allowed the attackers to exploit a flaw in a Microsoft email application to go after a number of American targets, including a university and local governments.
“We have raised our concerns about both this incident and the PRC’s broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the White House said in a statement at the time.
In August, the White House announced that a number of the country’s leading technology companies have pledged to invest billions of dollars to bolster cybersecurity by training tens of thousands of people in cybersecurity skills, enhancing open-source software security, and providing technical services to help local governments boost security protections.