"Microsoft Seizes Domains Used by China-Linked APT 'Nickel'"

Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide. Microsoft took over the websites after filing pleadings with the U.S. District Court for the Eastern District of Virginia. While the move will prevent the group's access to some of its victims, it is unlikely to put an end to Nickel’s activities. However, Microsoft does believe that the infrastructure it just seized was used as part of the group’s most recent wave of attacks. Microsoft noted that obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help them protect existing and future victims while learning more about Nickel’s activities. Microsoft stated that Nickel has been using the now seized websites to execute attacks on victims in a total of 29 countries in Europe, Central and South America, the Caribbean, and North America, primarily for harvesting intelligence from government agencies, human rights organizations, and think tanks since 2019. Nickel has been active since at least 2013 and is also tracked as APT15, KE3CHANG, Royal APT, Playful Dragon, and Vixen Panda. The Chinese government likely sponsors the hacking group, as its activities often align with China’s geopolitical interests. Microsoft noted that Nickel uses vulnerable virtual private network (VPN) appliances (Pulse Secure VPN) and stolen credentials to compromise targets, as well as custom, hard-to-detect malware that helps it with intrusions, surveillance, and data exfiltration. Nickel targeted internet-facing web applications on vulnerable, unpatched on-premises Exchange Server and SharePoint systems, but not new vulnerabilities in Microsoft products.

SecurityWeek reports: "Microsoft Seizes Domains Used by China-Linked APT 'Nickel'"