Microsoft seized 42 domains used by the China-linked APT15 cyberespionage group

Pierluigi Paganini December 07, 2021

Microsoft seized dozens of malicious domains used by the China-linked APT15 group to target organizations worldwide.

Microsoft announced to have obtained a court warrant that allowed it to seize 42 domains used by a China-linked APT15 group (aka Nickel, Ke3changMirageVixen PandaRoyal APT and Playful Dragon) in recent operations that targeted organizations in the US and 28 other countries.

APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets worldwide in several industries, including defense, high tech, energy, government, aerospace, and manufacturing. The attackers demonstrated an increasing level of sophistication across the years, they used custom-malware and various exploits in their attacks.

“The Microsoft Digital Crimes Unit (DCU) has disrupted the activities of a China-based hacking group that we call Nickel. In documents that were unsealed today, a federal court in Virginia has granted our request to seize websites Nickel was using to attack organizations in the United States and 28 other countries around the world, enabling us to cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks.” reads the post published by Microsoft.

According to Tom Burt, Microsoft VP of Customer Security & Trust, the seized domains had been used for intelligence gathering from government agencies, think tanks, and human rights organizations.

The seizure of the domains allowed Microsoft to sinkhole them to gather information about the victims of the cyberespionage group. The traffic from the infected systems attempting to contact the malicious domains was redirected to Microsoft’s secure servers preventing data exfiltration and further infections.

This isn’t the first time that Microsoft use the legal approach against threat actors. To date, the IT giant has taken down more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors through 24 lawsuits.

Microsoft claims to have blocked the registration of 600,000 sites that threat actors planned to use in attacks in the wild.

The APT15 group carried out highly sophisticated attacks, in most of the cases, they used a hard-to-detect implant to spy on the victims and exfiltrate data. In some attacks, APT15 compromised third-party virtual private network (VPN) suppliers or used stolen credentials obtained from spear-phishing campaigns. Microsoft also reported that the China-linked APT targeted on-premises Exchange Server and SharePoint systems with known exploits.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT15)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment