Share this article on:
Microsoft seized 42 websites from a Chinese hacking group on Monday in an effort to disrupt the group’s intelligence-gathering operations.
In a news release, the company revealed the US Federal court in Virginia had granted Microsoft’s request to allow its digital crimes unit to take over the US-based websites, which were being run by a hacker group known as Nickel or APT15.
The company is redirecting the websites’ traffic to secure Microsoft servers to “help us protect existing and future victims while learning more about Nickel’s activities”.
Microsoft had been tracking Nickel since 2016 and had found that its “highly sophisticated” attacks intended to install unobtrusive malware that allowed for surveillance and data theft.
As Tom Burt, Microsoft’s corporate vice-president of customer security and trust, outlined in the news release, Nickel was attacking organisations in 29 countries and was believed to be using the information it collected “for intelligence gathering from government agencies, think tanks, universities and human rights organisations”, in this most recent case.
Microsoft did not name the organisations that had been targeted.
In court documents unsealed on Monday, Microsoft provided a detailed explanation of how the hackers targeted users through techniques like compromising third-party virtual private networks and phishing, in which a hacker poses as a trusted entity, often in an attempt to get someone to provide information like a password.
According to Microsoft, after using those strategies to install malware on a user’s computer, Nickel would then connect the computer with the malicious websites that Microsoft has since seized.
The company argued that the process involved the threat actors to hack into computers and make changes to Microsoft operating systems and sometimes posing as Microsoft, “involves abuse of Microsoft’s trademarks and brands, and deceives users by presenting an unauthorised, modified version of Windows to those users”.
In its decision, the court agreed to issue a temporary restraining order against the hackers and to turn the websites, which were registered in Virginia, over to Microsoft.
“There is good cause to believe that, unless defendants are restrained and enjoined by order of this court, immediate and irreparable harm will result from the defendants’ ongoing violations,” the court wrote in its decision.
Microsoft has confirmed it had not discovered any new vulnerabilities in its products related to the attacks.
According to Burt, the disruption will not prevent Nickel from continuing other hacking activities.
"But we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Burt concluded.
Microsoft found that the group often targeted regions in which China has a geopolitical interest.
Nickel has targeted diplomatic organisations and foreign affairs ministries in the Western Hemisphere, Europe and Africa, among other groups, the company said.
Microsoft's digital crimes unit, through 24 lawsuits, had taken down more than 10,000 malicious websites used by cyber criminals and almost 600 used by nation-state actors, and had blocked the registration of 600,000 more.
[Related: Chinese cyber criminals allegedly target Australian power grid]