Microsoft on Monday announced that a federal court had granted a request to allow the company to seize websites being used by a Chinese based hacking group that were targeting organizations in the United States and 28 other nations.
The hacking group, which Microsoft has dubbed “Nickel,” was observed to be targeting think tanks, human rights organizations, government agencies and diplomatic organizations for intelligence gathering purposes.
The court order unsealed Monday in the Eastern District of Virginia allowed the Microsoft Digital Crimes Unit to take control of the websites used by Nickel and redirect the traffic to Microsoft servers. Customers impacted by the hacking efforts have been notified.
“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Tom Burt, the corporate vice president of Customer Security and Trust at Microsoft, wrote in a blog post published Monday.
“Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Burt added.
Microsoft’s Threat Intelligence Center began tracking Nickel in 2016, with the group consistently using malware to intrude into company networks, conduct surveillance, and steal data. Vulnerabilities in Microsoft’s Exchange Server and SharePoint system were among those used to infiltrate companies, though Burt emphasized that there were “no new vulnerabilities” in Microsoft products discovered while investigating Nickel’s activities.
Organizations targeted by the hacking group include those in countries across North America, South America, the Caribbean, Central America, Europe and Africa, such as the United States, Brazil, Colombia, France, Italy, the United Kingdom and dozens more. Burt noted that there was a “correlation” between Chinese geopolitical interests and the organizations targeted.
“We will remain relentless in our efforts to improve the security of the ecosystem and we will continue to share activity we see, regardless of where it originates,” Burt wrote.
Microsoft included the group in its Digital Defense Report published in October, describing Nickel as one of the "most active" hacking groups targeting government agencies, and warning that Nickel's attacks had been successful 90 percent of the time.
The move to disrupt Nickel was the latest in a string of court-approved efforts Microsoft has undertaken to disrupt malicious hackers.
Microsoft previously took control of networks used by hacking group “TrickBot” to disrupt ransomware viruses ahead of the 2020 U.S. elections. In 2018, the company took over networks used by Strontium, a hacking group associated with the Russian government, and in 2019 took similar steps to disrupt operations of North Korean and Iranian linked hacking groups.
“It is our responsibility, and that of every entity with the relevant expertise and resources, to do whatever we can to help bolster trust in technology and protect the digital ecosystem,” Burt wrote.