A federal court in Virginia recently gave Microsoft the power to seize websites used by a Chinese state-affiliated hacking group.
The group known as Nickel has successfully conducted cyberattacks in as many as 29 countries, including the United States, and 16 Latin American and Caribbean countries.
Microsoft has been tracking ongoing Nickel operations since 2016, but analysts cite around 12 years of cyber espionage activity on Nickel’s part. Microsoft’s Threat Intelligence Center has identified government agencies, diplomatic entities and civil society groups, including think tanks, universities and human rights-related non-governmental organizations, as targets of Nickel.
Since December, Microsoft’s Digital Crimes Unit has seized 42 US-based websites targeted by Nickel. Tom Burt, Microsoft’s vice president of customer security and trust, assessed that Nickel used the websites to attack the 29 reported countries.
According to Burt, the disruption will not prevent Nickel from continuing its hacking activities, but it will remove critical infrastructure used by the group to operate globally. It also sheds light on the mechanisms used to extract sensitive information.
In a July 2020 report, Nickel was allegedly involved in surveillance campaigns targeting Uyghur Muslims and other minorities, including Tibetans and Muslims outside of China.
Nickel is identified under other names in related cases, including APT 15, KeChang, Mirage, Vixen Panda, Royal APT, and Playful Dragon. In fact, the same malware identified by Microsoft offers intelligence capabilities for China’s genocidal human rights abuses.
The report revealed this through GPS tracking of malware associated with Nickel. Surveillance shows that the first devices infected with the malware were all found near the offices of Xi’an Tian He Defense Technology, a major defense contractor in China with direct ties to the Chinese Communist Party.
The analysts claim that these initial infections were likely for the malware’s early development phase, meaning that the malware was tested by the Chinese defense company.
Burt notes that “there is often a correlation between Nickel’s goals and China’s geopolitical interests.” Among these destinations, Latin American and Caribbean countries make up a worrying majority in the most recent case.
In addition to the US, nickel-targeting nations include Argentina, Barbados, Brazil, Chile, Colombia, the Dominican Republic, Ecuador, El Salvador, Guatemala, Honduras, Jamaica, Mexico, Panama, Peru, Trinidad and Tobago, and Venezuela—roughly half of all countries in the western hemisphere.
Much of Latin America and the Caribbean is seen as a recurring target given persistent vulnerabilities in cyber infrastructure and a shortage of cybersecurity professionals.
Cyber attacks in the region traced to China are not new. In 2019, the website of the Inter-American Development Bank – which remains the leading source of multilateral financing for 26 countries in the region and has both the US and China as non-borrowing members – was inundated with inquiries from more than 15,000 netizens from China , which temporarily crashed parts of the bank’s website.
The attack followed the election of Inter-American Development Bank President Mauricio Claver-Carone, who has signaled he would consider Taiwan as a non-borrowing member.
Nickel itself has targeted the region in the past. In 2017, analysts found that Nickel used related malware to infect diplomatic missions in Brazil, Chile, and Guatemala, as well as in Slovakia and Belgium.
Guatemala remains one of the few countries to recognize Taiwan, even though several of its neighbors switched allegiances to Beijing between 2017 and 2018. Chile and Brazil may not worry China about Taiwan — both recognize Beijing — but the two are critical opportunities for economic and military interests given their resources, fairly sizeable militaries, and strategic locations for ports and other maritime advantages.
According to a 2019 study of Chinese and Russian cyber operations in the region, Chinese military services are increasingly using cyber means to conduct intelligence operations against their hemisphere counterparts, including Brazil, Chile, Argentina and Mexico.
The report also highlights repeated allegations of cyberespionage against Chinese government agencies in the region, which favor Chinese companies, often state-owned or state-affiliated. Cyber intelligence allows accessing vital market information, coercing local officials, stealing intellectual property from competitors and influencing operations aimed at reducing local resistance to China.
While tracking where cyberattacks originate can be a less accurate measure of government activity, China remains a leading source of cyberattacks in the region. Of greater concern are the nature and purpose of its operations, and the links between the malware and China’s state-affiliated corporations and geopolitical interests. Likewise, their radius of action has grown and with it the possibilities for coercion and manipulation of narratives.
Both the Biden administration and other governments in the region have maintained “radio silence” over the Nickel case and China’s growing cyber-intelligence offensive.
The White House blamed China for a similar case of espionage that compromised Microsoft email servers in July, but it has no repercussions on China or anyone identified as behind Nickel.
At a July Senate hearing on the Colonial Pipeline hacking case, Senator Ted Cruz, R-Texas, was met with a deafening silence when he asked administration officials why China hadn’t been sanctioned for repeated cyberattacks.
Despite small successes in individual cases, these attacks are likely to continue. China has dramatically improved its cyberespionage capabilities, and its operations will increasingly reflect this.
Whether the United States and other governments in the region understand this as a threat to their sovereignty, national security and free markets – and respond accordingly – remains to be seen.
This piece originally appeared in The Daily Signal