Start your day with intelligence. Get The OODA Daily Pulse.

The New Normal? Unique New Responses to Massive, Global Cyber Theft, Data Breach and Espionage Activities (Part 3 of 3)

In Part I of this series of posts, we broke down the timeline and impact of the massive Syniverse Hack, including the most recent development in the aftermath of the massive five-year-long data breach:  U.S. citizens filing multiple lawsuits against Syniverse for exposing their data.  Both lawsuits may evolve into a class action suit.

Similarly, in Part II, we took a look at the timeline and impact of the approx. $200 BitMart cryptocurrency theft, including BitMart’s Sheldon Xia decision to immediately compensate the recent heist monies for affected users, creating a new risk mitigation climate for the cryptocurrency marketplace, which to date has only “worked with law enforcement”  or “begged and pleaded with the hackers to return the stolen monies” in the aftermath of a heist.  The BitMart incident is one of a slew of recent massive heists that also makes clear that while BitMArt CEO Xia’s compensation decision may be new ground for crypto exchanges, enhanced security measures are now a clear precursor to regulation for the legitimacy of this marketplace. BitMart is still creeping back to resuming full exchange operations – and Xia’s recent tweet, as such, is telling.

The Microsoft NICKEL Domain Seizures

In the final post of this series, we breakdown a Fortune 100 company’s recent response to a nation-state actors cyber espionage activity, which may represent American tech companies newfound willingness to play the equivalent role for the U.S. government of the pervasive, global non-state actors that execute cyber activity on behalf of nation-states.

In the last few years, Microsoft has filed 24 lawsuits against cybercrime and cyber-espionage groups.  According to our friends over at The Record – the lawsuits  “allowed the company to take control of domains previously owned by the SolarWinds hackersCOVID-19 scamming operationsAPT35 Iranian hackers, the Necurs botnet, and Thallium, a North Korean cyber-espionage group, and Nigerian BEC scammers.  Five of these previous legal actions targeted state-sponsored espionage groups, and Microsoft said it has now seized more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors.”

The most recent headline:  Microsoft also seized domains used by Chinese cyber-espionage group Nickel (APT15).  Nickel is also known under other names, such as  “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT” and “Playful Dragon.”   On December 6th, according to The Microsoft Digital Crimes Unit (DCU):

“Microsoft has disrupted the activities of a China-based hacking group that we call Nickel. In documents that were unsealed today, a federal court in Virginia has granted our request to seize websites Nickel was using to attack organizations in the United States and 28 other countries around the world, enabling us to cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks. We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks, and human rights organizations.”

In a Cyber War, Is Microsoft to the U.S. What Darkside/Black Matter is to Russia?  and Nickel is to China?

Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust added:  “Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities.  Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”

According to a technical report from the Microsoft Threat Intelligence Center (MSTIC): 

“NICKEL successfully compromises networks using attacks on internet-facing web applications running on unpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructure, such as unpatched VPN appliances, as referenced in the FireEye April 2021 blog detailing a 0-day vulnerability in Pulse Secure VPN that has since been patched

After gaining an initial foothold on a compromised system, the NICKEL actors routinely performed reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems. We’ve observed NICKEL using Mimikatz, WDigest (an older authentication method that allows the attacker access to credentials in clear text), NTDSDump, and other password dumping tools to gather credentials on a targeted system and from target browsers. 

NICKEL used compromised credentials to sign into victims’ Microsoft 365 accounts through normal sign-ins with a browser and the legacy Exchange Web Services (EWS) protocol to review and collect victim emails. MSTIC has observed successful NICKEL sign-ins to compromised accounts through commercial VPN providers as well as from actor-controlled infrastructure.”

“…American high-tech companies may need to consider going it alone:  Full Bitskrieg.”

The seizure of domains by Microsoft in response to Chinese espionage activities prompted the realization that, while the U.S. does not have the extra-legal latitudes in waging a cyberwar that Russia and China leverage through native non-state hacker activity, the fact is that U.S. technology companies are in the game  – and have a brute force capability of their own.  They may not play in the illegality sandbox, but even basic legal-ese in their user agreements and software and cloud services contract gives U.S. IT companies a broad spectrum of legal choices in response to cyber espionage that may not be available to the U.S. Government.

The hope is that U.S. tech company legal efforts are as constant and unrelenting as the non-state actor’s illegal activity.  Everyone is trying to hack the U.S. cybersecurity ecosystem – and we mean everyone – and the opposing team is always playing their best game when they suit up to play against the Americans.   Kinetic domestic and international terrorists, much to the chagrin of counterterrorism operatives, only need to be right once.  In cyber, the unrelenting nature of the activity makes for more of a “finger in a massive, massive dam” analogy for cybersecurity professionals.  The result is the cyber threat landscape in which we find ourselves today – which is daunting.

How do corporate IT countermeasures scale their efforts collectively to achieve some of the network effects enjoyed by the other side? Do American tech companies need to join forces to put together a cyber legal framework that is right at the edge of the ‘legal’ in the cyberlaw discipline – while still honoring the rule of law – to meet lawless adversaries on their own turf?  American companies tend to be multinational and global with resources that move at the speed of the business climate.  What is the leverage internationally shared by American high-tech companies?

The U.S. Government may be on a ‘need to know’ basis at this point in the severity of the threat.  Talk of a public-private partnership with the government is great and some great work is certainly being done in the USG, especially at the DHS CISA JCDC.  But American high-tech companies may need to consider going it alone with a massive corporate IT Bitskrieg directed at the enemy.

Further Reading

A copy of the complaint filed by Microsoft is available here.  A list of the 42 seized domains is also available here.

For the full technical report of the Microsoft NICKEL Hack, see NICKEL targeting government organizations across Latin America and Europe – Microsoft Security Blog.

Part II of this series – The BitMart Cryptocurrency Heist

Part I of this series – The Syniverse Hack

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along its journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this megatrend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for businesses and governments

From the very beginning of the pandemic, we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily intelligence as well as pointers to reputable information from other sites. See OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.