Federal court documents unsealed Monday show that Microsoft won the right to dismantle 51 domains used by APT15 for espionage campaigns observed targeting government agencies, think tanks and human rights organizations in 29 countries, including the United States.
"Microsoft’s [Digital Crimes Unit] has been a pioneer in using this legal strategy against cybercriminals and, more recently, against nation-state hackers," wrote Tom Burt, corporate vice president for customer security and trust, in a Microsoft blog post celebrating the move. "To date, in 24 lawsuits — five against nation-state actors — we’ve taken down more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors. We have also successfully blocked the registration of 600,000 sites to get ahead of criminal actors that planned to use them maliciously in the future."
APT15, which Microsoft nicknames Nickel, is believed to be a Chinese espionage group.
Microsoft has been using the courts to seize infrastructure since 2016, when it won domains used by the Russian group Fancy Bear. Microsoft commonly wins these actions by default judgment since no one shows to defend the malicious use of domains. In the Nickel case, Microsoft won the default judgment on Oct. 21, according to court records.
The case was heard in the Eastern District of Virginia, home to Verisign, which oversees the .com and .org top-level domains used by the group. According to the court documents, Microsoft found a series of features unique to domains used by the group and used that to discover as many domains as possible.
Nickel's most recent flurry of activity involved exploiting unpatched Sharepoint, Exchange Servers and Pulse VPN, ultimately exfiltrating data and harvesting email credentials. Microsoft issued a separate blog outlining its latest observed attacks.
Microsoft used its announcement of the lawsuit to lobby for the Paris Call for Trust and Security in Cyberspace, a joint effort from private industry and many nations to set norms for espionage and nation-state cyber actions. The U.S. had declined to sign the Paris Call at its inception in 2018, but Vice President Kamala Harris recently signaled the U.S. was changing course.
"No individual action from Microsoft or anyone else in the industry will stem the tide of attacks we’ve seen from nation-states and cybercriminals working within their borders. We need industry, governments, civil society and others to come together and establish a new consensus for what is and isn’t appropriate behavior in cyberspace," wrote Burt.