Court hands Microsoft control of websites linked to spying by Chinese hackers

Nickel, aka APT15, Ke3chang and Vixen Panda, was snooping on government agencies and others, the company said.
Nickel. U.S. nickels
(Getty Images)

Microsoft obtained a court order to seize websites from a Chinese government-linked espionage group that was using the sites to attack government agencies, think tanks and human rights organizations in 29 countries, the company said Monday.

The legal move is aimed at a hacking outfit that Microsoft calls Nickel, which is also known as APT15, Ke3chang or Vixen Panda. It’s been around since at least 2010, and frequently spies on foreign affairs of interest to China.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” wrote Tom Burt, Microsoft’s corporate vice president for customer security and trust. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”

Nickel’s targets, whom Microsoft didn’t name, included some in the U.S.


China has proven difficult to dissuade from conducting cyber-espionage. Even after taking fire this summer from an international coalition that blamed Beijing for exploiting Microsoft Exchange Server flaws in a manner that enabled a ransomware spree across the globe, China has since been tied to numerous other digital snooping campaigns.

Nickel’s techniques vary, but ultimately it has one objective, namely to implant stealthy malware for getting into networks, stealing data and spying, according to Microsoft. Targets for its exploits include Exchange Server and SharePoint systems that users haven’t updated with patches from Microsoft. Nickel also relied on compromised virtual private network suppliers or stolen credentials snatched via spearphishing, the company said.

Besides the U.S., Microsoft said, Nickel has been active in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the U.K. and Venezuela.

The lawsuit, filed Dec. 2 in the U.S. District Court for the Eastern District of Virginia, is one of 24 from the Microsoft Digital Crimes Unit that has led to the takedown of more than 10,000 malicious websites. Five of the 24 suits were against nation-state groups, Microsoft said.

Latest Podcasts