Microsoft has a valuable lesson for the big tech- how to take on Chinese cyber warfare. In a major development, Microsoft has disclosed that it has seized control of a number of websites that were being used by a China-backed hacking group to target organisations in 29 different countries, including the United States of America. This has set an example for American big tech companies on how to deal with malicious Chinese hackers.
What makes the Chinese hackers different?
Hacking is not uncommon in the modern world, but the Chinese “hacker army” is different. It has become an institutionalised organ of the Chinese government with around 100,000 individuals working organically.
Chad Duffy, the Global Product Manager at CyCraft Technology Corp, a Taiwanese cybersecurity firm, explained, “These are large, sophisticated hacking groups that are often state-sponsored or sometimes criminal organisations. A couple of things in common are that they have a large team of very sophisticated hackers, a lot of financial resources, and they often operate much more like a business in terms of having specialised units that do specific kinds of activity.”
A hacker group tracked by CyCraft showed that the hackers worked on a fixed routine. Duffy said, “This group operates like a corporate entity. The hackers work on a disciplined nine to six timeline. There are no activities during Chinese holidays and little activity during late nights. These all point to a very large and sophisticated infrastructure.”
Simply put, hacking and stealing information from foreign government agencies has become a popular business activity in China with extensive State support and this is what makes the Chinese “hacker army” a cause of concern.
US court allows Microsoft to take control of websites used by Nickel:
Microsoft’s Digital Crimes Unit (DCI) said on Monday that a federal court in Virginia had granted the software company control of the websites being used by a Chinese State-sponsored hacking group called Nickel, or APT15. Microsoft is now free to redirect traffic on such websites to Microsoft servers. This should help the United States in avoiding hacking attacks by China as these malicious websites were being used to gather intelligence from the government, think tanks and human rights organizations.
Microsoft hasn’t categorically mentioned Nickel’s targets, but has given away a hint by stating that “there is often a correlation between Nickel’s targets and China’s geopolitical interests.”
Microsoft has been tracking Nickel since 2016 and has described it in the past as one of the “most active” hacking groups targeting government agencies. The software company also said that it observed “highly sophisticated” attacks that installed hard-to-detect malware facilitating intrusion, surveillance and data theft.
Nickel uses different methods to penetrate its targets. Sometimes, it uses compromised third-party virtual private network (VPN) suppliers or credentials obtained from spear-phishing campaigns. In other cases, it has used vulnerabilities in Microsoft’s own Exchange Server and SharePoint system to infiltrate companies.
Tom Burt, Microsoft’s corporate vice president for customer security and trust, said, “Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities.” Burt added, “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”
Hacking the hackers- how the Chinese “hacker army” may be vulnerable to counterattacks:
While the world is worried about Chinese cyber-attacks, the Microsoft episode shows that Chinese hackers can be intercepted. This is also what a Taiwanese cyber security firm, CyCraft, managed to do last year. It is no secret that Chinese State-sponsored institutions and hackers are looking to exploit the Taiwanese semiconductor industry and this is what they also seemed to have tried last year.
However, the CyCraft engineers were able to intercept communication between an affected company’s network and the command-and-control server of the hackers. After gaining access to this cloud server, CyCraft was able to track the activities of the hacking group, including a standard operating procedure in the Chinese language.
At a Black Hat security conference last year, CyCraft researchers presented details of a hacking campaign that might have compromised the internal data of at least seven Taiwanese chip firms in 2018 and 2019.
Both Microsoft and CyCraft thus have experience in intercepting and tracking the activity of Chinese hackers. The Chinese “hacker army” may be out to steal the free world’s data, but there is a simple solution- hack the hackers and wrest control of their assets.
