Microsoft has seized 42 domains being used by a China-based cyber espionage group that was targeting government agencies, think tanks, and human rights organizations in the United States and 28 other countries. This threat activity is being attributed to a group called Nickel, which is also known as APT15, Bronze Palace, and Mirage, among others.
These domains were used as part of an infrastructure that allowed the threat actor to maintain long-term access to the compromised systems, as well as execute attacks against them with the purpose of gathering intelligence. This threat actor has been seen using techniques such as exploiting vulnerabilities in unpatched virtual private network (VPN) appliances as well as Exchange and SharePoint systems in order to get an initial foothold into a network. After gaining this foothold, they’ve been found to use common credential dumping tools and stealers, such as Mimikatz and WDigest, to compromise the organization further and install custom backdoors to steal files and emails from the victim.
Nickel has been found using multiple backdoor variants in order to establish this persistence and control; these are currently being tracked as Neoichor, Leeson, NumbIdea, NullItch, and Rokum.