Microsoft has announced the seizure of 42 domains used by Nickel a China-based cyber espionage group which has its sights on organizations in the U.S. and 28 other countries. Nickel has targeted organizations in both private and public sectors including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, Europe and Africa.
Microsoft painted the cyber assaults as “highly sophisticated” using various techniques, including breaching remote access services and exploiting vulnerabilities in unpatched VPN appliances as well as Exchange Server and SharePoint systems to “insert hard-to-detect malware that facilitates intrusion, surveillance and data theft.”
From the point of intrusion, Nickel has been found deploying credential dumping tools and stealers such as Mimikatz to access accounts, followed by delivering custom malware that allowed the actor to maintain persistence on victim networks over extended periods of time and conduct regularly scheduled exfiltration of files, execute arbitrary shellcode, and collect emails from Microsoft 365 accounts using compromised credentials.
The recent attacks add to an extensive list of surveillanceware campaigns mounted by Nickel in recent years.
“As China’s influence around the world continues to grow and the nation establishes bilateral relations with more countries and extends partnerships in support of China’s Belt and Road Initiative, we assess that China-based threat actors will continue to target customers in government, diplomatic, and NGO sectors to gain new insights, likely in pursuit of economic espionage or traditional intelligence collection objectives,” Microsoft said.