Microsoft announced that it had disrupted the operations of a Chinese cyberespionage group targeting organizations in the U.S. and 28 other countries. Tracked as Nickel, the advanced persistent threat (APT) group has been linked to various cyberattacks across the globe since 2012, under different names including APT15, Bronze Palace, Ke3Chang, Mirage, Playful Dragon, and Vixen Panda.
Nickel’s criminal activities included compromising confidential information from government agencies, think tanks, and human rights organizations. Microsoft also dissolved the group’s access to its victims and prevented the websites from executing attacks.
“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities. Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Microsoft said.
Microsoft researchers observed the Nickel group using advanced and a variety of techniques to deploy specially crafted hard-to-detect malware that facilitates intrusion, surveillance, and data theft activities. The group also leveraged compromised third-party virtual private network (VPN) suppliers or stolen credentials from spear phishing campaigns to exploit the targets. Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa.
“Nation-state attacks continue to proliferate in number and sophistication. Our goal in this case, as in our previous disruptions that targeted Barium, operating from China, Strontium, operating from Russia, Phosphorus, operating from Iran, and Thallium, operating from North Korea, is to take down malicious infrastructure, better understand actor tactics, protect our customers, and inform the broader debate on acceptable norms in cyberspace. We will remain relentless in our efforts to improve the security of the ecosystem, and we will continue to share an activity we see, regardless of where it originates,” Microsoft added.
Cyberespionage on the Rise
A security research team from Palo Alto Networks’ Unit 42 uncovered an ongoing cyberespionage campaign by a Chinese group that has already targeted nine organizations belonging to critical global sectors, including education, defense, health care, energy, and technology. The campaign is reportedly focused on stealing critical information from U.S. defense contractors. It is believed the techniques used in the campaign are similar to those of the Chinese threat group Emissary Panda, also known as TG-3390 and APT27.