Legal action to disrupt “Nickel Group” cyberattack: the stakes are high

Klara Jordan

On December 6, the District Court for the Eastern District of Columbia unsealed documents granting a request to seize websites to Microsoft Corporation (Microsoft). These websites were used by a China-based criminal group, dubbed Nickel in the document. According to Microsoft, this group was engaging in systematic criminal activity on the Internet, harming its customers, among them, governments, think-tanks, academic institutions and human rights NGOs[1]Protection of NGOs and the humanitarian sector is one of the key missions of the CyberPeace Institute which we operationalize through the CyberPeace Builders … Continue reading. The Nickel group cyberattack breached the security and privacy of persons holding key societal functions and is now the subject of the above mentioned request for an emergency ex parte temporary restraining order.

Systematic criminal activity on the Internet – breaching and stealing sensitive information, turning professional and personal devices into surveillance tools, deception – endangers cyberpeace, security, and stability for the whole ecosystem, not just the targets. That is exactly the activity that is ascribed to the Nickel group. From damaging user privacy and the unauthorized monitoring and theft of data to a deliberate weakening of security protections, this malicious actor has not just undermined the collective trust and security in technology for those particular targets but for all users of technology.

From the perspective of the CyberPeace Institute’s mission, a court-authorized seizure of malicious websites is an important tool for the protection of victims and the ecosystem, prevention of further victimization, and an important step towards accountability in cyberspace.

Generally speaking, attacker infrastructure such as Internet domains registered for malicious activity, Command-and-Control (C2) and malware distribution domains are the mechanism through which the actor can execute cyberattacks, for example, steal victim credentials, steal information or deliver malware to a system. Investigating these domains can help correlate information about them and serve as a reliable tool to connect domains to a particular actor.

Justice departments around the world have been using this mechanism to disrupt malicious activity and to protect the victims of such attacks. In December 2020, a collaborative effort between Microsoft, FireEye and GoDaddy was part of a collaborative effort to prevent networks that may have been affected by the compromised SolarWinds software update from communicating with the attackers.

We welcome similar court-authorized government and industry-led initiatives to achieve the goal of disrupting malicious activity and preventing further victimization of users of ICTs.

Seizing the domains prevents their use for victimizing additional entities and organizations. It also prevents further victimization of breached targets- in this case, the malicious actor was observed to move laterally within the network and obtain increased access through the network in search of data to exfiltrate or to install malware. The longer the threat actor operates in a network, the more information they can access resulting in a more significant privacy breach.

A court-authorized seizure of malicious domains is an important step in an investigation, which can lead to attribution of the activity to an individual(s) and result in criminal charges against the perpetrator(s). Identifying the individual(s) responsible for these acts, and pursuing legal avenues are important steps in accountability for these criminal acts.  Holding cyber criminals to account is crucial both as a deterrent to other actors, and to ensure the harm these actors cause to the victims and the ecosystem is recognized. It is also crucial for victim redress.

Understanding the actions of the Nickel group.

Alongside its far-reaching effects, the activities of Nickel group are notable for the sophisticated execution and potential long-term ramifications on individual victims and on the entire ecosystem. The response that is required to this needs to be threefold –  swift action to disrupt the activity, legal action, and an important clarification and respect of the applicable norms and rules to prevent this from recurring.

The Nickel group breached the security and privacy of persons holding key societal functions and is now the subject of the above mentioned request for an emergency ex parte temporary restraining order.

It started as an abuse of information and communication technologies (ICTs) for fraudulent financial transitions but turned into a long-term compromise of existing technical protections to access victim mailboxes and reading victim emails involving a large number of high-value targets. The attackers then leveraged a wider range of vulnerabilities and back-door capabilities to compromise the security of systems that users of this technology rely on every day.

Using custom malware and a sophisticated modus operandi, the attackers were able to disguise the operation, making it invisible to the target and their wider network and enabling access to this network through a compromised account. Even when the target was made aware by Microsoft of the intrusion and the vulnerabilities were patched, their computers remain vulnerable and could easily be re-infected, exposing them to long-term harm in an impossible-to-defend-against attack.

Why this cyberattack merits focus

There are three important factors that are noteworthy about this activity. 

First, the extensive privacy breach. The continuous access to the targets’ meta-data and the content of their emails, breaching their privacy in a highly orchestrated operation inflicted irreparable harm to the individuals. The information the attackers have obtained can be used for continued victimization.

Second, the targets of the attack were both public and private actors as well as tech vendors, including organizations that are an indispensable part of the fabric of democratic societies such as non-governmental organizations (NGOs), think-tanks, and academic institutions.

NGOs around the world serve critical functions delivering aid and supporting the most vulnerable communities and serve as an important vehicle for civic engagement and activities defending and promoting human rights. Targeting these organizations that oftentime hold sensitive information about journalists, victims, and human rights activists can mean grave danger to these individuals.

Third, users of ICTs have reasonable expectations that they can benefit from these technologies without having their security and privacy jeopardized. A malicious activity, such as the one described in the filing undermines trust in technology – to the user, the program, application, or the operating system is functioning normally, while they are being monitored by the malicious actor and sensitive information is being stolen from them.

Implementing responsible behavior in cyberspace.

Both national security interests and individual freedoms are at stake when similar malicious activities occur. There is a shared responsibility to act now to condemn such malicious activity, disrupt the activities as soon as possible,  and recognize this unacceptable behaviour in cyberspace.  Industry and government stakeholders have to use all the available means to disrupt and remedy this harm, hold attackers accountable with the view to protect the victims of cyberattacks.

It is important to recall that the international community has set a number of expectations and commitments with respect to behavior in cyberspace. These are not only important from the perspective of holding the perpetrators accountable, but also to shed light on the responsibility of governments vis-a-vis victims, which can be for example discharged by granting a restraining order and enabling a seizure of domains and increasing public-private collaborations in similar cases.

Prevention and Remedies   The actions and the impact of this particular group make the case for 4 efforts to prevent and remedy injury to victims of this, and similar cyberattacks:  

1. Uphold the responsible behaviour of states, in line with the United Nations Group of Governmental Experts (UN GGE) voluntary norms. Six out of the 11 norms adopted in 2015 and further detailed in the 2021 UN GGE consensus report provide useful guidance for state action in this regard.  Particularly,

a. the prevention of harmful ICT practices and threats to international peace and security,
b. the use of a territory for committing an international wrongful act using ICTs,
c. the respect of human rights in the digital age (specifically privacy and freedom of expression),
d. the prevention of malicious ICT tools and techniques and the use of harmful hidden functions,
e. the responsible disclosure of vulnerabilities and limitation of its harmful impact,
f. the exchange of information and assistance with prosecuting the criminal use of ICTs.  

Norms 13 (a), (c), (d), (e), (i) and (j) enumerate the existing responsibilities of states to limit the threats posed to international peace and security and to ensure the secure use of ICTs in full respect for human rights. The operationalization of these norms is key to preventing attacks like the one by group Nickel to happen again in the future.  

2. Encourage governments to fulfil their responsibilities to protect their citizens and abide by human rights obligations This should include introducing legislation that allows victims to bring cases to court if cyberoperations disrupt their personal and professional lives. Effective remedies need to be introduced to protect cyber peace.  

3. Strengthen accountability  by implementing the norms of responsible state behaviour and ensuring that the perpetrators of cyberattacks are held to account. The value of norms lies in their lasting and effective operationalization.  

4. Enhance security and protection in cyberspace, engaging with non-state actors, including civil society and industry actors, to ensure their expertise and experience can be leveraged effectively. Existing voluntary frameworks such as the Paris Call for Trust and Security in Cyberspace adopted by a multistakeholder community, as well as industry commitments such as the CyberSecurity Tech Accord and the Charter of Trust put forward security-by-design responsibilities. Higher safeguards and protections can help restore citizens’ trust in technology. Our collective digital well-being depends on it.              


1 Protection of NGOs and the humanitarian sector is one of the key missions of the CyberPeace Institute which we operationalize through the CyberPeace Builders

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.


Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.


Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.