●  Mi­crosoft's Dig­i­tal Crimes Unit has dis­rupt­ed the ac­tiv­i­ties of a Chi­na-based hack­ing group called Nick­el.

●  Coun­tries in which Nick­el has been ac­tive in­clude: Unit­ed States, Ar­genti­na, Brazil, Chile, Colom­bia, Do­mini­can Re­pub­lic, Ecuador, El Sal­vador, Guatemala, Hon­duras, Ja­maica, Mex­i­co, Pana­ma, Pe­ru, Trinidad and To­ba­go and Venezuela.

●  The ob­served at­tacks are very so­phis­ti­cat­ed and use a va­ri­ety of tech­niques.

Mi­crosoft's Dig­i­tal Crimes Unit (DCU) has dis­rupt­ed the ac­tiv­i­ties of a Chi­na-based hack­ing group called Nick­el, which Mi­crosoft says has been be­hind sev­er­al cy­ber­at­tacks to cov­er what is be­lieved to be “in­tel­li­gence gath­er­ing from gov­ern­ment agen­cies, think tanks and hu­man rights or­ga­ni­za­tions”.

Trinidad and To­ba­go was list­ed among sev­er­al coun­tries around the world, in­clud­ing CARI­COM Mem­ber States, which have been iden­ti­fied as vic­tims of the hack­ing group’s ac­tiv­i­ties.

An of­fi­cial state­ment from Mi­crosoft fol­lows…

(MI­CROSOFT) — The Mi­crosoft's Dig­i­tal Crimes Unit (DCU) has dis­rupt­ed the ac­tiv­i­ties of a Chi­na-based hack­ing group we call Nick­el. In doc­u­ments that were un­sealed this week, a Fed­er­al Court in Vir­ginia has grant­ed the re­quest to seize the web­sites Nick­el used to at­tack or­ga­ni­za­tions from the Unit­ed States, Ar­genti­na, Bar­ba­dos, Bosnia and Herze­gov­ina, Brazil, Bul­gar­ia, Chile, Colom­bia, Croa­t­ia, Czech Re­pub­lic, Do­mini­can Re­pub­lic, Ecuador, El Sal­vador, France, Guatemala, Hon­duras, Hun­gary, Italy, Ja­maica, Mali, Mex­i­co, Mon­tene­gro, Pana­ma, Pe­ru, Por­tu­gal, Switzer­land, Trinidad and To­ba­go, Unit­ed King­dom and Venezuela, en­abling Mi­crosoft to cut off Nick­el’s ac­cess to its vic­tims and pre­vent the web­sites from be­ing used to ex­e­cute at­tacks. Mi­crosoft be­lieve these at­tacks were large­ly be­ing used for in­tel­li­gence gath­er­ing from gov­ern­ment agen­cies, think tanks and hu­man rights or­ga­ni­za­tions.

On De­cem­ber 2, Mi­crosoft filed plead­ings with the U.S. Dis­trict Court for the East­ern Dis­trict of Vir­ginia seek­ing au­thor­i­ty to take con­trol of the sites. The court quick­ly grant­ed an or­der that was un­sealed to­day fol­low­ing com­ple­tion of ser­vice on the host­ing providers. Ob­tain­ing con­trol of the ma­li­cious web­sites and redi­rect­ing traf­fic from those sites to Mi­crosoft’s se­cure servers will help pro­tect ex­ist­ing and fu­ture vic­tims while learn­ing more about Nick­el’s ac­tiv­i­ties. Mi­crosoft dis­rup­tion will not pre­vent Nick­el from con­tin­u­ing oth­er hack­ing ac­tiv­i­ties, but it re­moved a key piece of the in­fra­struc­ture the group has been re­ly­ing on for this lat­est wave of at­tacks.

Mi­crosoft’s DCU has been a pi­o­neer in us­ing this le­gal strat­e­gy against cy­ber­crim­i­nals and, more re­cent­ly, against na­tion-state hack­ers. To date, in 24 law­suits—five against na­tion-state ac­tors—Mi­crosoft took down more than 10,000 ma­li­cious web­sites used by cy­ber­crim­i­nals and near­ly 600 sites used by na­tion-state ac­tors. Mi­crosoft has al­so suc­cess­ful­ly blocked the reg­is­tra­tion of 600,000 sites to get ahead of crim­i­nal ac­tors that planned to use them ma­li­cious­ly in the fu­ture.

Mi­crosoft's Threat In­tel­li­gence Cen­ter (MSTIC) has tracked Nick­el since 2016 and has been an­a­lyz­ing this spe­cif­ic ac­tiv­i­ty since 2019. As with any ob­served ac­tiv­i­ty of a state-na­tion ac­tor, Mi­crosoft con­tin­ues to send no­ti­fi­ca­tions to cus­tomers who have been at­tacked or com­pro­mised, when pos­si­ble, pro­vid­ing them with the in­for­ma­tion they need to help pro­tect their ac­counts.

The at­tacks MSTIC ob­served are very so­phis­ti­cat­ed and use a va­ri­ety of tech­niques, but they al­most al­ways had one goal: to in­sert hard-to-de­tect mal­ware that fa­cil­i­tates in­tru­sion, sur­veil­lance, and da­ta theft. Some­times, Nick­el at­tacks used com­pro­mised third-par­ty vir­tu­al pri­vate net­work (VPN) providers or stolen cre­den­tials ob­tained from spear phish­ing cam­paigns.

In some ob­served ac­tiv­i­ty, the Nick­el mal­ware used ex­ploits tar­get­ing un­patched on-premis­es Ex­change Serv­er and Share­Point sys­tems. How­ev­er, any new vul­ner­a­bil­i­ties have been ob­served in Mi­crosoft prod­ucts as part of these at­tacks. Mi­crosoft has cre­at­ed unique sig­na­tures to de­tect and pro­tect from known Nick­el ac­tiv­i­ty through its se­cu­ri­ty prod­ucts, such as Mi­crosoft 365 De­fend­er.

Nick­el has tar­get­ed both pub­lic and pri­vate sec­tor or­ga­ni­za­tions, in­clud­ing diplo­mat­ic or­ga­ni­za­tions and min­istries of for­eign af­fairs in North Amer­i­ca, Cen­tral Amer­i­ca, South Amer­i­ca, the Caribbean, Eu­rope, and Africa. There is of­ten a cor­re­la­tion be­tween Nick­el's goals and Chi­na's geopo­lit­i­cal in­ter­ests. Oth­er mem­bers of the se­cu­ri­ty com­mu­ni­ty who have re­searched this group of ac­tors re­fer to the group by oth­er names, in­clud­ing "KE3CHANG," "APT15," "Vix­en Pan­da," "Roy­al APT," and "Play­ful Drag­on."

Na­tion-state at­tacks con­tin­ue to pro­lif­er­ate in num­ber and so­phis­ti­ca­tion. Mi­crosoft's goal, in this case, as in pre­vi­ous dis­rup­tions tar­get­ing Bar­i­um, which op­er­ates from Chi­na, Stron­tium, which op­er­ates from Rus­sia, Phos­pho­rus, which op­er­ates from Iran, and Thal­li­um, which op­er­ates from North Ko­rea, is to take down ma­li­cious in­fra­struc­ture, bet­ter un­der­stand the tac­tics of ac­tors, pro­tect cus­tomers, and in­form the broad­er de­bate about ac­cept­able norms in cy­ber­space.

"We will re­main re­lent­less in our ef­forts to im­prove the se­cu­ri­ty of the ecosys­tem and we will con­tin­ue to share the ac­tiv­i­ty we see, re­gard­less of where it orig­i­nates," said Tom Burt, cor­po­rate vice pres­i­dent of se­cu­ri­ty and cus­tomer trust.

Tom Burt says no in­di­vid­ual ac­tion from Mi­crosoft or any­one else in the in­dus­try will stem the tide of at­tacks we've seen from na­tion-states and cy­ber­crim­i­nals work­ing with­in their bor­ders.

"We need in­dus­try, gov­ern­ments, civ­il so­ci­ety and oth­ers to come to­geth­er and es­tab­lish a new con­sen­sus for what is and is not ap­pro­pri­ate be­hav­iour in cy­ber­space. We are en­cour­aged by re­cent progress. Last month, the Unit­ed States and the Eu­ro­pean Union joined the Paris Call for Trust and Se­cu­ri­ty in Cy­ber­space, the world's largest mul­ti-stake­hold­er con­fir­ma­tion of core prin­ci­ples of cy­ber­se­cu­ri­ty with more than 1,200 en­dorsers," Burt said.

The Ox­ford Process has brought to­geth­er some of the best le­gal minds to eval­u­ate the ap­pli­ca­tion of in­ter­na­tion­al law to cy­ber­space. And the Unit­ed Na­tions has tak­en crit­i­cal steps to ad­vance di­a­logue among stake­hold­ers. "It is our re­spon­si­bil­i­ty, and that of every en­ti­ty with the rel­e­vant ex­per­tise and re­sources, to do what­ev­er we can to help bol­ster trust in tech­nol­o­gy and pro­tect the dig­i­tal ecosys­tem."