Microsoft on Monday announced the seizure of 42 domains used by a China-based cyber-espionage group that set its sights on organizations in the United States and 28 other countries under a court ruling issued by a federal court in the US state of Virginia.
The Redmond company attributed the malicious activities to a group it pursues as Nickel, and by the broader cyber security industry under the designations APT15, Bronze Palace, Ke3Chang, Mirage, Playful Dragon and Vixen Panda. The Advanced Sustainable Threat (APT) actor is believed to have been active since at least 2012.
“Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and foreign ministries in North America, Central America, South America, the Caribbean, Europe and Africa,” Microsoft’s Corporate Vice President of Customer Security and Trust, Tom Burt, said. “There is often a link between Nickel’s goals and China’s geopolitical interests.”
The junk infrastructure enabled the hacker team to maintain long-term access to the compromised machines and carry out intelligence-gathering attacks targeting unnamed government agencies, think tanks and human rights organizations as part of a digital espionage campaign dating back to September 2019.
Microsoft portrayed the cyber attacks as “highly sophisticated”, using a host of techniques, including breaking remote access services and exploiting vulnerabilities in unpatched VPNs, as well as Exchange Server and SharePoint systems to “insert hard-to-detect malware that facilitates intrusion” , surveillance and data theft. “
After gaining an initial foothold, Nickel has been found to be implementing credentials dumping tools and thieves such as Mimikatz and WDigest to hack into victim accounts, followed by the provision of custom malware that allowed the actor to maintain persistence on victim networks over extended periods and perform regularly scheduled file filtering, execute arbitrary shell code, and collect emails from Microsoft 365 accounts using compromised credentials.
The many backdoor families used for command and control are traced as Neoichor, Leeson, NumbIdea, NullItch and Rokum.
The latest wave of attacks adds to a comprehensive list of surveillance campaigns that the APT15 group has assembled in recent years. In July 2020, the mobile security company Lookout unveiled four Trojanized legitimate apps – named SilkBean, DoubleAgent, CarbonSteal and GoldenEagle – targeted at the Uighur ethnic minority and Tibetan community for the purpose of collecting and transferring personal user data to opposing command and control servers.
“As China’s influence around the world continues to grow and the nation establishes bilateral relations with more countries and expands partnerships in support of China’s Belt and Road Initiative, we believe that China-based threat actors will continue to target customers in the field. government, diplomatic, and NGO sectors to gain new insights, likely in the pursuit of economic espionage or traditional intelligence-gathering targets, “Microsoft said.