Other security community members often refer to the Nickel group as “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT” and “Playful Dragon," Microsoft noted.
Nickel: How Alleged Cybercriminal Group Works
A federal court in Virginia granted Microsoft's request to seize websites that Nickel allegedly used to launch and maintain attacks. "We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks and human rights organizations," Tom Burt, corporate VP of customer security and trust at Microsoft, wrote in a blog. "Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks."
The Microsoft Threat Intelligence Center (MSTIC) has been tracking Nickel since 2016, Burt added, analyzing this specific activity since 2019. The attacks typically involved hackers inserting hard-to-detect malware that facilitates intrusion, surveillance and data theft, he alleged.
Exchange Server Targeted Again: Some of the hits involved unpatched on-premises Microsoft Exchange and SharePoint servers. In many ways, that's not surprising. On-premises Exchange servers have remained a frequent target for hackers throughout 2021.
Microsoft Intelligent Security Association (MISA) and MSSPs
Microsoft did not say whether its Nickel-blocking activities involved third-party cyber forensics companies and/or MSSPs.
Still, Microsoft has close working relationships with dozens of MSSPs through the Microsoft Intelligent Security Association (MISA), which has expanded regularly throughout 2021.