Microsoft Security has taken control of 29 domains that were targeting global governments and closed them. The domains were focusing on governments and NGOs across continents and were part of attacks by China threat-group Nickel.

The domain seizures were confirmed by Microsoft Security in two blog posts this week. Microsoft vice president Tom Burt, the Microsoft Digital Crimes Unit and the Microsoft Threat Intelligence Center, says the company was given legal right to remove the domains by a federal court in Virginia.

Approval was given when Microsoft showed Nickel was using the domains to attack NGOs in the United States, across the Americas, Europe, and the Caribbean. Microsoft Security teams have been tracking the Nickel group since 2016 and combatting attacks.


“We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks and human rights organizations,” Burt said. 

“The court quickly granted an order that was unsealed today following completion of service on the hosting providers. Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities. Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”


The attacks were widespread, targeting governments in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the UK, the US and Venezuela.

The Microsoft Threat Intelligence Center says Nickel was able to breach VPN suppliers or use stolen credentials to enter systems. Other attack methods involved exploiting vulnerabilities in Microsoft’s own products, such as SharePoint and Exchange Server.

“There is often a correlation between Nickel’s targets and China’s geopolitical interests. Others in the security community who have researched this group of actors refer to the group by other names, including ‘KE3CHANG,’ ‘APT15,’ ‘Vixen Panda,’ ‘Royal APT’, and ‘Playful Dragon,'” Burt adds. 

“Nation-state attacks continue to proliferate in number and sophistication. Our goal in this case, as in our previous disruptions that targeted Barium, operating from China, Strontium, operating from Russia, Phosphorus, operating from Iran, and Thallium, operating from North Korea, is to take down malicious infrastructure, better understand actor tactics, protect our customers and inform the broader debate on acceptable norms in cyberspace.” 

Burt points out Microsoft will continue to seek rights to remove nefarious domains and has so far taken down 10,000 threat websites.

Tip of the day: Whether you’re planning an upgrade, tuning CPU timings, or just curious, it’s handy to know information about your RAM. In our tutorial, we show you how to check RAM speed, type, and size using several built-in Windows tools.