DCU believes that these websites were engaged in gathering intelligence, specifically from government agencies, think tanks, and human rights organizations. The ruling will enable DCU to “cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks.” Microsoft filed its plea with the US District Court for the Eastern District of Virginia on December 2. Consequently, the court quickly granted an order, which was made publicly available on Monday, December 6. Microsoft said that it will redirect traffic from the malicious websites to its own secure servers. This will enable the company to protect victims, and also learn more about Nickel’s operations. It added that this disruption is unlikely to halt Nickel’s hacking activities. However, Microsoft stated it has removed a key piece of infrastructure the hackers have relied on in recent attacks.
Microsoft DCU Takes Legal Approach to Stifle Cybercriminals
This is not the first time Microsoft DCU has taken the legal route to thwart cyber campaigns. In fact, it claims that is the pioneer in using court orders against cybercriminals, as well as nation-state hackers. The company has filed 24 lawsuits, 5 of them against nation-state actors, which has allowed it to take down over 10,000 malicious websites. It has also successfully blocked the registration on 600,000 websites as a pre-emptive measure, i.e., to prevent cybercriminals from using them in the future.
A Brief Background of Nickel’s Criminal Activity
Microsoft Threat Intelligence Center (MSTIC) has been observing Nickel’s activity since 2016. It has also traced back the campaign in question to 2019. Nickel’s targets include organizations in the private and public sectors. It has also targeted diplomatic organizations and missions in North, Central, and South America, Europe, Africa, and the Caribbean. Microsoft claims that there is often “a correlation between Nickel’s targets and China’s geopolitical interests.” MSTIC said that Nickel’s attacks are highly sophisticated and rely on a variety of techniques. The goal of their attacks is to insert malware onto the victims’ systems, which then carries out surveillance and data theft. MSTIC added that some of Nickel’s attacks have utilized compromised third-party VPN suppliers or credentials obtained from spear-phishing campaigns. Other Nickel attacks have targeted vulnerable Microsoft services, such as unpatched on-premises Exchange Server and SharePoint systems. Microsoft said it has not found any new vulnerabilities in its products as part of these attacks.