Microsoft disrupts China-based hacking group Nickel

Microsoft disrupts China-based hacking group Nickel

Microsoft has taken control of 42 web domains that a hacking group was using to try to breach its targets.

On December 2, the Microsoft Digital Crimes Unit (DCU) filed pleadings with the US District Court for the Eastern District of Virginia seeking authority to take control of the sites that it discovered belonged to a China-based group it calls Nickel. The court order was unsealed December 6 following completion of service on the hosting providers, and traffic from the websites is now routed to computer servers controlled by Microsoft.

The disruption is unlikely to prevent Nickel from pursuing its hacking activities, but it has put a spanner in its works, effectively removing a key piece of the infrastructure the group has been relying on for its latest wave of attacks. Sadly, any setback to the Chinese hacking group or others will likely be temporary as the hackers will find and build new infrastructure to use in forthcoming attacks.


Others in the security community who have researched this group of actors refer to the group by other names, including KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon. Malwarebytes generally uses the APT15 designation for this group.

Chinese groups

The group’s activities have been traced back to 2010 when it performed a cyberespionage campaign directed at diplomatic organizations and missions in Europe.

Targets, methods, and techniques

Nickel’s techniques vary, but in the end the group’s activity has only one objective, namely to implant stealthy malware for getting into networks, stealing data, and spying on government agencies, think tanks, and human rights organizations.

For initial access, the DCU noticed Nickel using older, and patched, vulnerabilities in Microsoft products like Microsoft Exchange and SharePoint, but also compromised VPN suppliers or obtained stolen credentials. For lateral movement the DCU saw Nickel actors using Mimikatz, WDigest, NTDSDump, and other password dumping tools during attacks.

Then followed a drop of hard-to-detect malware that enabled intrusions, surveillance and data theft targeting organizations in Argentina, Barbados, Bosnia-Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad & Tobago, the UK, US, and Venezuela.

As a result, Nickel achieved long-term access to several targets, allowing the group to conduct activities such as regularly scheduled exfiltration of data. Microsoft Threat Intelligence Center (MSTIC) observed Nickel perform frequent and scheduled data collection and exfiltration from victim networks. The group’s activity included looking in directories of interest for new files added since the last time it collected data.

One method Nickel uses to hide malware is to drop it into existing installed software paths. The group did this to make the malware appear to be files used for an installed application. These are backdoors capable of collecting system information and have basic backdoor functionalities, including, but not limited to:

  • Launching a process
  • Uploading a file
  • Downloading a file
  • Executing a shellcode in memory

A long list of IOCs can be found at the end of this write-up about Nickel by MSTIC.

International cooperation

The Microsoft blog includes a call-to-action for industry, governments, civil society, and others to come together and establish a new consensus for what is and isn’t appropriate behavior in cyberspace. There are some promising developments in this area, like the United States and the European Union joining the Paris Call for Trust and Security in Cyberspace, the Oxford Process which has brought together some of the best legal minds to evaluate the application of international law to cyberspace, and the United Nations taking critical steps to advance dialogue across stakeholders. Nevertheless, every entity with the relevant expertise and resources needs to do whatever they can to help bolster trust in technology and protect the digital ecosystem.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.