42 malicious websites used by Chinese espionage group got seized

Microsoft seized the domains linked to China-based hackers that targeted organizations in the US ad 28 other countries

Highly sophisticated hacker group linked to China stopped

Malicious domains used by Nickel China-backed hacker group seized. Threat actors use various methods to compromise the servers of government organizations, diplomatic entities, non-governmental organizations. The legal warrant was issued by a federal court in the US state of Virginia.^[1] Hacker group named Vixen Panda, Royal APT, Playful Dragon, or KE3CHANG mainly operate targeting Europe and Latin America, but the list has 29 countries.^[2]

Microsft experts reported the issue with this hacker group and its targets. Tom Burt, Corporate Vice President for Customer Security & Trust, said:

Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa.

Such attacks are largely used for certain information gathering when the government agencies are involved. Microsoft took down the infrastructure after the order was granted and seized the list of done domains.^[3] These sites were used to redirect to secret servers by changing the authoritative name servers – NS104a.microsoftintemetsafety.net and NS104b.microsoftintemetsafety.net.

The hacker group active at least since 2010

Microsoft reveals that the threat group was first spotted in 2016, and activities linked to the same Ke3chang group started in 2010. The group is observed since 2019, and since then, criminals have targeted government entities in Latin America and European countries. The goal of such attacks mainly is to deliver the malware to compromised servers. The infection can allow operators to access activities, data and collect the information to the separate servers.

A wide range of cybersecurity experts have analyzed this group and named the hackers using different names. All the activities linked with Nickel hackers have been reportedly increased and moved to target the government organization in private and public sectors since 2012.

Chinese threat actors can compromise the VPN services and use credentials from other attacks like spear-phishing^[4] or exploits. It is common for hackers to target particular machines that are not patched. Exchange servers and Share Point servers can be used to hack into the network of a particular organization.

Long-term access o the compromised machine

The investigators have already taken down many infrastructures like this. Microsoft itself reports having taken down at least 10 000 malicious websites used by various cybercriminals. At least 600 of those pages are used by nation-state threat actors.

We have also successfully blocked the registration of 600,000 sites to get ahead of criminal actors that planned to use them maliciously in the future.

Malicious attackers are capable of keeping access to the affected network for a long time and evading detection. Executing attacks and gathering intelligence when targeting serious agencies becomes easier.^[5] Such particular attacks have been targeting governments for a few years already and attackers do not stop so easily.

Nickel group also abuses access to the systems by deploying other tools like credential dumping malware, stealers like Mimikatz, WDigest. Threats can hack users' accounts, maintain persistence, conduct other exfiltrations, execute arbitrary code, or collect emails using compromised logins.

The latest attacks are only at the end of this huge list with all the surveillance campaigns held by the APT15 group. In 2020 various firms suffered from them. Mobile security firm Lookout reported the trojanized legitimate application incident.^[6] Microsoft also has many other groups disrupted before, including the APT35 aka Charming Kitten. These attackers do not stop, but so do cybersecurity experts and investigators.