Microsoft recently disclosed the successful seizure of 42 malicious domains linked to a China-based cyber espionage group, targeting organizations in the United States and 28 other nations. This operation followed a legal warrant issued by a federal court in Virginia, affirming the need to counteract these threats.
The group, referred to by Microsoft as Nickel, is also recognized in the cybersecurity community under various aliases such as APT15, Bronze Palace, and Ke3Chang. Active since at least 2012, this advanced persistent threat (APT) actor has been implicated in a wide range of cyber intrusions aimed at both governmental and private sector entities.
Tom Burt, Microsoft’s Corporate Vice President for Customer Security and Trust, noted that Nickel often aligns its targets with China’s geopolitical objectives. The group’s operations have included attempts to breach foreign ministries and diplomatic organizations across North America, Central and South America, the Caribbean, Europe, and Africa.
The compromised infrastructure allowed this hacking group to maintain ongoing access to targeted machines, efficiently executing intelligence-gathering operations against government agencies and think tanks. This campaign, which began in September 2019, has encompassed various high-profile entities, emphasizing the sophisticated nature of the attacks.
Microsoft described these cyber operations as “highly sophisticated,” employing multiple techniques, including leveraging vulnerabilities in remote access services, unpatched VPN appliances, and Exchange Server and SharePoint systems. These exploits facilitated the installation of difficult-to-detect malware for surveillance and data theft.
Following initial access, the Nickel group has utilized credential dumping tools like Mimikatz and WDigest, enabling them to compromise victim accounts. They have deployed custom malware to ensure long-term persistence across networks, facilitating regular file exfiltration, running arbitrary shellcode, and gathering emails from targeted Microsoft 365 accounts using stolen credentials.
The various backdoor families identified, including Neoichor, Leeson, NumbIdea, NullItch, and Rokum, have provided the attackers with extensive command and control capabilities, allowing them to execute operations unnoticed.
The most recent attack adds to a growing list of surveillance initiatives attributed to the APT15 group. A notable instance occurred in July 2020, when mobile security firm Lookout revealed several trojanized applications aimed at the Uyghur ethnic minority and Tibetan community, specifically designed to harvest user data for adversarial intelligence operations.
As China’s global influence continues to expand alongside its diplomatic initiatives, it is likely that cyber espionage efforts will intensify. Microsoft has underscored the expectation that state-sponsored actors will persist in targeting government, diplomatic, and NGO sectors to acquire crucial insights, potentially for economic or traditional intelligence objectives. The operational methodologies employed by these actors align with various tactics and techniques outlined in the MITRE ATT&CK framework, including initial access, persistence, and privilege escalation.
