Home / Industry

“Nickel” APT Group: What We Found About Microsoft’s Latest Domain Seizure

Threat actors reportedly attacked 29 government agencies worldwide in a recent malicious campaign. The attacks were attributed to China-based advanced persistent threat (APT) group Nickel, which has been known to trail its sights on governments and nongovernmental organizations (NGOs) across Europe, the Americas, and the Caribbean.

To date, Microsoft seized 42 domains that threat actors used for the attacks. We took a closer look at these web properties using WHOIS tools to find more information that may be useful for fellow researchers and IT security teams. Our findings include the below:

  • Some of the 42 domains appeared to have rich WHOIS histories, with an average of nine WHOIS records each.
  • A majority of the 42 domains were likely newly registered when they were used for targeted attacks.
  • We found an additional 2,953 domains that Microsoft has seized over time.

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made them available to anyone interested. You may download the related threat research materials here.

What We Know So Far

Microsoft has been tracking Nickel since 2016, allowing it to collate the 42 domains that they sought to seize. They obtained seizure approval from a federal court in Virginia before proceeding with the process.

The Nickel attacks used hard-to-detect malware that allowed the threat actors to spy on and steal data from target organizations spread across 29 countries. Agencies in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, the Czech Republic, the Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the U.K., the U.S., and Venezuela were among the group’s victims.

What WHOIS Intelligence Sources and OSINT Research Revealed

We began our in-depth look by subjecting the 42 seized domains to historical WHOIS searches. A majority of the domains were likely newly registered when they were used as threat vectors. But some may not have been new, such as the oldest domain, palazzochigi[.]com, which creation date goes as far back as 14 April 2011, five years before Nickel potentially began launching APTs. Chart 1 shows the analysis by domain creation date.

Chart 1: 42 seized domain distribution by creation date

A majority of the domains (22 or 52%) were created in 2020. The remaining half of the sample were created over the past decade.

We also scrutinized the historical WHOIS records of the 42 seized domains and found that a huge bulk (31 or 74%) indicated China as their last known registrant country. Chart 2 shows the analysis based on the domains’ last known registrant country.

Chart 2: 42 seized domain distribution by last known registrant country

Owing to their age, the domains had an average of nine historical WHOIS records each. Chart 3 shows their ages in greater detail.

Chart 3: 42 seized domain distribution by number of historical WHOIS records

Most of the domains (9 or 21%) had nine historical WHOIS records since their creation date. The older a domain is, the greater its number of historical WHOIS records.

According to Microsoft, accessing the seized domains would lead to a backdoor infection, specifically by Backdoor:Win32/Leeson!MSR or the Leeson malware, which was detected on 30 November 2021. It comes disguised as legitimate applications and connects compromised systems to hardcoded command-and-control (C&C) servers. That allows threat actors to collect information, including their IP address, operating system (OS) version, system language ID, computer name, and the username of the current signed-in user.

The fact that the last known registrant country of close to a third of the sample was China is consistent with Nickel’s origin. The registrant countries’ names were obtained from historical WHOIS records dates between 17 March and 1 November 2021. These dates may coincide with the last time each domain was used in attacks. If that’s the case, then we can say that Nickel-instigated targeted attacks went on until last month, before Microsoft was given the authority to seize the group’s domains.

Microsoft, through its Digital Crimes Unit, has been seizing domains since its establishment way back in 2008. It focuses on seven areas, namely, business email compromise (BEC), malware, ransomware, tech support fraud, online child exploitation, business operations integrity, and technological advances. Part of its task is to take down components of threat infrastructures, including the 42 domains featured in this post.

The seized domains currently indicate “Digital Crimes Unit” as their registrant organization. They aren’t the only ones, though, based on the results of a reverse WHOIS search for the string. We found 2,953 other domains, which Microsoft has also seized in relation to several attacks. Examples include unicy[.]at, miniexchange[.]at, and optiker-gramm[.]at, which were connected to a botnet owned by a certain John Does.


WHOIS history, as we’ve seen in this post, can give us additional insights into the rationale behind certain security findings, such as why cybersecurity experts say Nickel originated from China. Reverse WHOIS searches, meanwhile, can help users as part of deeper researches to ensure better cybersecurity.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Domain Names

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO

Brand Protection

Sponsored byAppdetex

Threat Intelligence

Sponsored byWhoisXML API