Microsoft takes the fight to Chinese hacking group with tactical website strike

Microsoft Logo at Ignite
Microsoft Logo at Ignite (Image credit: Windows Central)

What you need to know

  • Microsoft seized control of several websites that were used by the China-based hacking group known as Nickel.
  • Taking control of the websites allows Microsoft to disrupt the efforts of the cybercriminals.
  • Nickel targeted diplomatic organizations and ministries of foreign affairs and other organizations in the private and public sectors.

Microsoft's Digital Crimes Unit (DCU) disrupted the activities of a China-based hacking group known as Nickel. Unsealed documents from a federal court in Virginia show that Microsoft's DCU requested and received permission to seize control of websites used by Nickel to target 29 countries, including the United States. Microsoft believes that Nickel's efforts were made to gather intelligence from government agencies, think tanks, and human rights organizations.

"Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft's secure servers will help us protect existing and future victims while learning more about Nickel's activities," said Tom Burt, Corporate Vice President, Customer Security & Trust, Microsoft. "Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks."

Microsoft did not specify which organizations were targeted by Nickel. The company stated that the group "has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa." Microsoft added that "there is often a correlation between Nickel's targets and China's geopolitical interests."

Microsoft has used this strategy before. To date, the company has filed 24 lawsuits and taken down over 10,000 malicious websites that were used by cybercriminals. Additionally, Microsoft's DCU has taken down almost 600 sites used by nation-state actors and blocked the registration of 600,000 sites that had been part of the plans of malicious actors.

The Microsoft Threat Intelligence Center (MSTIC) has tracked Nickel since 2016 and analyzed these types of attacks by the organization since 2019.

Nickel has been active in the following countries: Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom, the United States, and Venezuela.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at