On Monday, Microsoft announced the seizure of 42 domain names used by a China-based cyber-espionage group targeting organizations in the US and 28 other countries under a legal order issued by a US court. Federal court in the US state of Virginia.
The Redmond Company has attributed malicious activities to a group it pursues, Nickel, and to the broader cybersecurity industry, under the monikers APT15, Bronze Palace, Ke3Chang, Mirage, Playful Dragon, and Vixen Panda. Advanced Persistent Threat (APT) is believed to have been active since at least 2012.
“Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and foreign ministries in North America, Central America, South America, the Caribbean, Europe and Africa.” Microsoft Corporate Vice President of Customer Trust and Security, Tom Burt, said. “There is often a correlation between Nickel’s goals and China’s geopolitical interests.”
The rogue infrastructure allows attackers to maintain long-term access to compromised machines and carry out intelligence-gathering attacks against government agencies and organizations. consulting and human rights anonymous as part of a digital espionage campaign dating back to September 2019.
Microsoft considers the cyberattacks to be “very sophisticated,” using a variety of techniques, including breaching remote access services and exploiting vulnerabilities in unpatched VPN devices as well. Exchange Server and SharePoint systems to “insert software Hard-to-detect malware facilitates intrusion, surveillance and data theft. “
Once it got its initial footing, Nickel was found to deploy dumping tools and credential stealers like Mimikatz and WDigest to break into victim accounts, followed by provisioning malware Customization allows attackers to persist on the victim network for long periods of time and conduct regularly scheduled file filtering, arbitrary shell code execution, and email collection from Microsoft 365 accounts using credentials violated.
Many surnames back door used for the command and control being tracked are Neoichor, Leeson, NumbIdea, NullItch, and Rokum.
The latest wave of attacks adds to the expanding list of surveillance software campaigns carried out by the APT15 team in recent years. In July 2020, mobile security firm Lookout revealed four trojanized legitimate apps – named SilkBean, DoubleAgent, CarbonSteal and GoldenEagle – targeting Uyghur and Tibetan minority communities with the aim collects and transmits personal user data for the adversary’s command- and server control.
“As China’s influence around the world continues to grow and the country establishes bilateral relations with more countries and expands its partnership in support of China’s Belt and Road Initiative, China, we assess that threat actors from China will continue to target clients in the government, diplomatic, and NGO sectors to gain new insights, possibly in pursuit of traditional intelligence-gathering or economic espionage targets,” Microsoft said.