Posted on December 7, 2021 at 7:09 PM
Microsoft has announced the seizure of 42 domains believed to be used by a Chinese-based hacking syndicate to carry out cyber espionage on US organizations.
The tech giant stated that it obtained a legal warrant from the Federal court in the US state of Virginia to carry out their seizure.
Microsoft noted that the hacking syndicate it calls Nickel is known by the wider cybersecurity network in different monikers such as APT15, Vixen Panda, Playful Dragon, Bronze Palace, Mirage, and Ke3Change. According to the report, the advanced persistent threat (APT) actor has been active since 2012.
Microsoft Says The Threat Actors Abuse Its Trademarks And Brands
According to Microsoft, since the incidence involves hacking into computers and affecting changes on Microsoft’s operating systems, it is an “abuse of Microsoft’s trademarks and brands”. The company goes ahead saying the action presents an unauthorized and modified version of Windows to users, deceiving them in the process. As a result, it has taken court orders to seize all the websites that have been used in linking to the malware.
In response, the court agreed to turn the Virginia registered websites over to Microsoft and issue a temporary restraining order against the hackers.
Vice President of Customer Security and Trust, Tom Burt, stated that Nickel has launched attacks on several organizations both in the public and private sectors in the US and 28 other countries. Their target also includes ministries and foreign affairs in Europe, South America, North America, Africa, Central America, and the Caribbean.
“There is often a correlation between Nickel’s targets and China’s geopolitical interests,” he added.
The incident is occurring when security researchers are discovering an extensive list of surveillance ware campaigns mounted by state-sponsored threat actors in recent tears.
Mobile security firm Lookout, in 2020, disclosed four trojanized apps that targeted the Uyghur ethnic minority. The security researchers noted that the apps –GoldenEagle, CarbonSteal, DoubleAgent, and SilkBean – also targeted the Tibetan community to gather and transmit personal user data.
More Cyber Threats Linked To China-Based Hackers
Microsoft stated that China-based threat actors will continue to target customers in NGO, diplomatic, and government sectors to gain new insights as China continues to expand its relationships with other countries in the world.
The threat group was probably using the seized websites to plant malware that enable it to steal data from government agencies and other organizations. According to the tech giant, the threat actors are using highly sophisticated attacks that install unobtrusive malware that allows surveillance and data theft.
Microsoft provided details of the activities of the attackers and how they have managed to target organizations. According to the firm, they use techniques that compromise third-party virtual private networks. They also use phishing techniques as the threat actors would sometimes pose as a trusted entity to deceive the target into providing their login details and password.
In court documents unsealed on Monday, Microsoft provided a detailed explanation of how the hackers targeted users through techniques like compromising third-party virtual private networks and phishing, in which a hacker poses as a trusted entity, often in an attempt to get someone to provide information like a password.
This allowed the threat actors to have long-term access to the infiltrated systems as they execute attacks to gather intelligence on different government agencies, human rights organizations, and research institutions.
The Hackers Deploy Several Techniques To Gain A Foothold
Microsoft also said the hackers use several other techniques, including exploiting bugs in unpatched VPN appliances and breaching remote access services to plant hard-to-detect malware. Once the malware is installed in the affected system, it facilitates surveillance, intrusion, and data theft.
Microsoft explained that after Nickel gains an initial foothold, it deploys credential dumping tools and stealers such as WDigest and Mimikatz to hack into victims’ accounts.
After the initial penetration, the hackers deliver custom malware that enabled them to maintain persistence on victim networks for a long period.
The hackers also carry out regularly scheduled exfiltration of files, collect emails from Microsoft 365 accounts, and execute arbitrary shellcode.
The multiple backdoor families the threat actors use for command and control are being tracked as Rokum, Nulltch, Numbldea, Leeson, and Neoichor.
The company added that after the threat actors have used the strategies to install malware on the target’s system, they would connect the system to the malicious websites that have been seized.