Court Lets Microsoft DCU Seize 42 Chinese Hacker Websites

The Microsoft Digital Crimes Unit has seized 42 websites from China-based hacking group Nickel, in attempt to thwart the group’s intelligence-gathering operations. A Virginia federal court granted Microsoft’s request to take over the U.S.-based websites run by Nickel, also known as APT15. Microsoft had since 2016 been tracking the group’s activities, determining them “highly sophisticated,” with attacks designed to install malware that facilitated surveillance and data theft attacks. Nickel was used to attack organizations in the United States and 28 other countries around the world, DCU says.

Microsoft’s DCU believes the attacks were being used to gather intelligence from government agencies, think tanks and human rights organizations, writes vice president customer security and trust Tom Burt in a blog post.

Microsoft provided details of the phishing scheme in court documents unsealed Monday, but withheld the names of individuals and organizations neutralized in the sting, according to The New York Times.

Citing immediate and irreparable harm, the U.S. District Court for the Eastern District of Virginia acceded to the request for a temporary restraining order and required the hackers to turn the websites over to Microsoft. “Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Burt writes.

DCU has pursued an aggressive legal strategy against cybercriminals and nation-state hackers, bringing 24 lawsuits and taking down more than 10,000 malicious websites used by cybercriminals and another 600 exploited by nation-state actors, according to Burt. “We have also successfully blocked the registration of 600,000 sites to get ahead of criminal actors that planned to use them maliciously in the future,” he adds.

U.S. cybersecurity agencies had warned of the “major threat” Chinese hacking presented America and its allies, reports NYT, noting that the Biden administration in July accused the Chinese government of a hacking campaign that compromised the email of some of the world’s biggest companies and governments.

Meanwhile, “the rapidly expanding criminal industry of ransomware” is “based primarily in Russia,” according to a separate NYT article, which cites a Treasury Department estimate of $1.6 billion in ransoms paid by American companies since 2011. Typically, ransom payments are made in cryptocurrencies that are then converted to conventional currencies.

The crime wave shows no signs of slowing down. Burt acknowledges the legal interventions of Microsoft DCU, while disruptive, “will not prevent Nickel from continuing other hacking activities,” but adds that “we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”