The Microsoft Digital Crimes Unit (DCU) has seized dozens of malicious websites used by China-based hacking group Nickel that target organizations in the United States and 28 other countries around the world.

On December 2, Microsoft filed pleadings with the U.S. District Court for the Eastern District of Virginia seeking authority to take control of the sites. The court quickly granted an order that was unsealed today following the completion of service on the hosting providers.

Microsoft’s DCU has been a pioneer in using this legal strategy against cybercriminals and, more recently, against nation-state hackers. To date, in 24 lawsuits – five against nation-state actors – we’ve taken down more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors. We have also successfully blocked the registration of 600,000 sites to get ahead of criminal actors that planned to use them maliciously in the future.

Tom Burt – Corporate Vice President, Customer Security & Trust wrote in a blog post today.

The Microsoft Threat Intelligence Center (MSTIC) has been tracking Nickel since 2016 and analyzing this specific activity since 2019. As with any observed nation-state actor activity, Microsoft continues to notify customers that have been targeted or compromised, when possible, providing them with the information they need to help secure their accounts.

The attacks MSTIC observed are highly sophisticated and used a variety of techniques but nearly always had one goal: to insert hard-to-detect malware that facilitates intrusion, surveillance and data theft. Sometimes, Nickel’s attacks used compromised third-party virtual private network (VPN) suppliers or stolen credentials obtained from spear-phishing campaigns. In some observed activities, Nickel malware used exploits targeting unpatched on-premises Exchange Server and SharePoint systems.

Hackers Spreading Powerful Malware Via Omicron News Emails

Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa. There is often a correlation between Nickel’s targets and China’s geopolitical interests. Others in the security community who have researched this group of actors refer to the group by other names, including “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT” and “Playful Dragon.”

Countries in which Nickel has been active

In addition to the U.S., the countries in which Nickel has been active include: Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom and Venezuela.