Content, Channel partners

Microsoft Disrupts Alleged China-Based Hacking Group Called Nickel


Microsoft has disrupted an alleged China-based hacking group called Nickel, which purportedly attacked organizations in nearly 30 countries, the cloud and software giant disclosed today.

Other security community members often refer to the Nickel group as “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT” and “Playful Dragon," Microsoft noted.

Nickel: How Alleged Cybercriminal Group Works

A federal court in Virginia granted Microsoft's request to seize websites that Nickel allegedly used to launch and maintain attacks. "We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks and human rights organizations," Tom Burt, corporate VP of customer security and trust at Microsoft, wrote in a blog. "Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks."

The Microsoft Threat Intelligence Center (MSTIC) has been tracking Nickel since 2016, Burt added, analyzing this specific activity since 2019. The attacks typically involved hackers inserting hard-to-detect malware that facilitates intrusion, surveillance and data theft, he alleged.

Exchange Server Targeted Again: Some of the hits involved unpatched on-premises Microsoft Exchange and SharePoint servers. In many ways, that's not surprising. On-premises Exchange servers have remained a frequent target for hackers throughout 2021.

Microsoft Intelligent Security Association (MISA) and MSSPs

Microsoft did not say whether its Nickel-blocking activities involved third-party cyber forensics companies and/or MSSPs.

Still, Microsoft has close working relationships with dozens of MSSPs through the Microsoft Intelligent Security Association (MISA), which has expanded regularly throughout 2021.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.