The Microsoft Digital Crimes Unit (DCU) has thwarted the actions of Nickel, a Chinese hacking gang. A federal court in Virginia has conferred our request to freeze webpages Nickel had used to target organizations in the United States and 28 other countries around the world, allowing us to cut off Nickel's access to its victims and prevent the websites from being used to execute attacks, according to documents unsealed today. These attacks, we believe, were primarily designed to obtain information from government institutions, think tanks, and human rights organizations.

Microsoft filed briefs with the United States District Court for the Eastern District of Virginia on December 2 asking permission to take ownership of the sites. Following completion of service on the hosting providers, the court immediately granted an order, which was unsealed today. Taking control of harmful websites and redirecting traffic away from them to a new destination 

Microsoft filed briefs with the United States District Court for the Eastern District of Virginia on December 2 asking permission to take ownership of the sites. Following completion of service on the hosting providers, the court immediately granted an order, which was unsealed today. Taking control of the malicious websites and transferring traffic to Microsoft's safe servers would help us protect current and prospective victims while also allowing us to understand more about Nickel's operations. We believe we have taken out a key piece of the infrastructure that Nickel has been relying on for this latest wave of attacks. Our disruption will not prevent Nickel from continuing other hacking activities. 

Microsoft's DCU has been a trailblazer in applying this legal method to cybercriminals and, more lately, nation-state hackers. We've taken down over 10,000 harmful websites used by cybercriminals and almost 600 sites used by nation-state actors in 24 lawsuits so far, five of which are against nation-state actors. We also successfully prevented the registration of 600,000 sites in order to move ahead of criminals who planned to exploit them in the future.

Nickel has been tracked by the Microsoft Threat Intelligence Center (MSTIC) since 2016 and this specific activity has been analyzed since 2019. When feasible, Microsoft continues to alert customers who have been targeted or compromised, giving them the information they need to properly safeguard their accounts, as it does with any identified nation-state actor activity. The attacks MSTIC witnessed were complex and used a range of approaches, but they all had one purpose in mind: to introduce hard-to-detect malware that allows for intrusion, surveillance, and data theft. Nickel's assaults sometimes utilized stolen credentials obtained from spear-phishing efforts or exploited third-party virtual private network (VPN) suppliers. Nickel malware was seen using exploits against unpatched on-premises Exchange Server and SharePoint systems in some cases. However, as a result of these attacks, we have not discovered any new vulnerabilities in Microsoft products. Through our security offering, Microsoft has built unique signatures to detect and guard against known Nickel activity. 

Nickel has targeted both private and governmental sector institutions in North America, Central America, South America, the Caribbean, Europe, and Africa, including diplomatic organizations and ministries of foreign affairs. The targets of Nickel are frequently linked to China's geopolitical goals. Others in the security community who have studied this group of actors call them 'KE3CHANG,' 'APT15,' 'Vixen Panda,' 'Royal APT,' and 'Playful Dragon,' among other names.

Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom, and Venezuela are among the countries in which Nickel has operated.

Attacks by nation-states are increasing in number and sophistication. Our goal in this case, as in prior disruptions targeting China's Barium, Russia's Strontium, Iran's Phosphorus, and North Korea's Thallium, is to knock down harmful infrastructure, better understand actor strategies, protect our clients, and advance the broader discourse on acceptable cyber standards. We will continue to work tirelessly to strengthen the ecosystem's security, and we will continue to report any activity we notice, regardless of its source.

No one measure by Microsoft or anybody else in the industry will be enough to stop the onslaught of attacks coming from nation-states and cyber criminals operating within their borders. Industry, governments, civic society, and others must work together to form a new consensus on what is and is not acceptable behavior in cyberspace. A recent improvement has given us hope. The United States and the European Union signed the Paris Call for Trust and Security in Cyberspace last month, which is the world's largest multistakeholder endorsement of key cybersecurity principles, with over 1,200 signatories. The Oxford Process has brought together some of the most brilliant legal minds to assess how international law applies to cyberspace. In addition, the United Nations has taken important steps to promote cross-stakeholder dialogue. It is our obligation, as well as the responsibility of every organization with relevant expertise and resources, to do all possible to help build trust in technology.