According to a judicial warrant granted by a federal court in the United States state of Virginia, Microsoft reported the seizure of 42 domains used by a China-based cyber espionage gang that targeted organisations in the United States and 28 other nations.
The harmful operations were ascribed to a group known as Nickel, as well as the monikers APT15, Bronze Palace, Ke3Chang, Mirage, Playful Dragon, and Vixen Panda used by the cybersecurity industry. Since at least 2012, the advanced persistent threat (APT) actor is thought to have been active.
“Nickel has targeted both private and public sector organisations, including diplomatic organisations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa,” said Tom Burt, Microsoft’s Corporate Vice President for Customer Security and Trust.
“The targets of Nickel are strongly associated with China’s geopolitical interests.”
The rogue infrastructure allowed the hacking team to keep long-term access to the compromised machines and carry out attacks for intelligence gathering purposes against unnamed government agencies, think tanks, and human rights organisations as part of a digital espionage campaign that began in September of this year.
Microsoft painted the cyber assaults as “highly sophisticated” that used a multitude of techniques, including breaching remote access services and exploiting vulnerabilities in unpatched VPN appliances as well as Exchange Server and SharePoint systems to “insert hard-to-detect malware that facilitates intrusion, surveillance and data theft.”
Nickel was discovered using credential dumping tools and stealers like Mimikatz and WDigest to gain an initial foothold, then delivering custom malware that allowed the actor to maintain persistence on victim networks for extended periods of time and conduct regularly scheduled file exfiltration, execute arbitrary shellcode, and collect emails from Microsoft 365 accounts using compromised credentials.
Neoichor, Leeson, NumbIdea, NullItch, and Rokum are among the many backdoor families used for command and control.
The latest wave of attacks adds to the APT15 group’s long catalogue of surveillanceware efforts in recent years. In July 2020, mobile security firm Lookout revealed four trojanized legitimate apps — SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle — that were designed to gather and transmit personal user data to adversary-operated command-and-control servers and targeted the Uyghur ethnic minority and the Tibetan community.
“As China’s influence around the world continues to grow and the nation establishes bilateral relations with more countries and extends partnerships in support of China’s Belt and Road Initiative, we assess that China-based threat actors will continue to target customers in government, diplomatic, and NGO sectors to gain new insights, likely in pursuit of economic espionage or traditional intelligence collection objectives,” Microsoft said.