Microsoft has seized control of several websites that were being used by China-based hackers to gather intelligence from 29 countries, including the United States. In their attacks, the group known as Nickel compromised the servers of government organizations, diplomatic entities, and human rights organizations from Europe and Latin America.
In a post on their blog, Microsoft said that their Digital Crimes Unit has successfully disrupted Nickel’s activities after a federal court in Virginia granted their request to take over U.S based websites. Doing so enabled the company to cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks. Internet traffic has also been redirected to secure servers. This will help Microsoft to protect existing and future victims while learning more about Nickel’s activities.
Microsoft has been tracking Nickel since 2016. Their findings revealed that the group’s highly sophisticated attacks intended to install unobtrusive malware that allowed for surveillance and data theft. In unsealed court documents Microsoft explained how the hackers targeted users through various techniques. They used compromising third-party virtual private networks and phishing to install malware on a user’s computer. Nickel would then connect the computer with the malicious websites that Microsoft has now seized.
The tech giant stated that since Nickel hacked into computers and made changes to Microsoft’s operating systems (sometimes posing as Microsoft) it was essentially abusing their trademarks and brands. The hackers deceived users by presenting an unauthorized, modified version of Windows to their customers. As such, the court also issued a temporary restraining order against the hackers. “There is good cause to believe that, unless defendants are restrained and enjoined by order of this court, immediate and irreparable harm will result from the defendants’ ongoing violations,” the court wrote in its decision (via The New York Times).
Microsoft says they have not discovered any new weaknesses in their products related to the attacks. Interestingly, shortly after the software company’s move to block Nickel, Google announced a lawsuit against two Russian individuals believed to be responsible for the Glupteba botnet. The botnet was allegedly used to infect one million Windows devices. Moreover, Google’s Cyber Crime Investigation and Threat Analysis Group said they plan to delete about 63M Google Docs which may have distributed Glupteba.
Microsoft’s recent legal action was the 24th lawsuit the company has filed against hacker groups. The various suits have led to the takedown of 10,000 malicious websites used by financially motivated hackers and almost 600 sites used by nation-state hackers. The tech company has also blocked the registration of 600,000 sites that hackers had planned to use in attacks (via ARS Technica). The tech giant has invoked various federal laws in its suits. This includes the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and US trademark law.
By doing so, Microsoft can seize and secure domain names used for command-and-control servers. In 2012, legal action led to the seizure of infrastructure used by the Kremlin-backed Fancy Bear hacking group as well as nation-sponsored attack groups in Iran, China, and North Korea. Microsoft has also used lawsuits to disrupt botnets going by names like Zeus, Nitol, ZeroAccess, Bamatal, and TrickBot.