According to a legal warrant issued by a federal court in the United States state of Virginia, Microsoft announced the seizure of 42 domains used by a China-based cyberespionage group that targeted organizations in the United States and 28 other countries.
The malicious activities were attributed to a group known as Nickel, as well as the monikers APT15, Bronze Palace, Ke3Chang, Mirage, Playful Dragon, and Vixen Panda used by the cybersecurity industry. Since at least 2012, the advanced persistent threat (APT) actor is thought to have been active.
The rogue infrastructure allowed the hacking group to keep long-term access to the infected machines and carry out attacks for intelligence gathering purposes against unnamed government agencies, think tanks, and human rights organizations as part of a digital espionage campaign that began in September 2019.
Nickel was discovered deploying credential dumping tools and stealers like Mimikatz and WDigest to hack into victim accounts, followed by delivering custom malware that allowed the hacker to maintain persistence on victim networks for extended periods of time and conduct regularly scheduled file exfiltration, execute arbitrary shellcode, and collect emails from Microsoft 365 accounts using compromised accounts after gaining an initial foothold.
Neoichor, Leeson, NumbIdea, NullItch, and Rokum are the various backdoor families being investigated for command and control purposes.
The latest wave of attacks adds to the APT15 group’s long list of surveillanceware campaigns in recent years. In July 2020, mobile security firm Lookout revealed four trojanized legitimate apps — SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle — that were designed to gather and transmit personal user data to adversary-operated command-and-control servers and targeted the Uyghur ethnic minority and the Tibetan community.
“As China’s influence around the world continues to grow and the nation establishes bilateral relations with more countries and extends partnerships in support of China’s Belt and Road Initiative, we assess that China-based threat actors will continue to target customers in government, diplomatic, and NGO sectors to gain new insights, likely in pursuit of economic espionage or traditional intelligence collection objectives,” Microsoft said.