New Delhi, December 1st
Microsoft has revealed that Vietnamese government-backed hackers are distributing cryptocurrency mining malware alongside their regular cyber-spying toolkits.
The report highlights a growing trend in the cybersecurity industry where a growing number of state-backed hacker groups are also dipping their feet into regular cybercrime operations, making it more difficult to distinguish financially motivated crimes from collection operations. of information.
Monitored by the Microsoft 365 Defender Threat Intelligence team as Bismuth, the Vietnamese group has been around since 2012 and is more widely known as APT32 and OceanLotus.
“BISMUTH conducted increasingly complex cyber-espionage attacks as early as 2012, using customized and open source tools to target large multinationals, governments, financial services, educational institutions and human and civil rights organizations,” Microsoft said in a post. on the blog late Monday.
In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam.
“Nation-state actor BISMUTH’s campaigns take advantage of the low-priority alerts that coin miners cause to try to fly under the radar and establish persistence,” the Microsoft team announced.
Because BISMUTH’s attacks included techniques ranging from typical to more advanced, devices with common threat activity such as phishing and coin mining should be elevated and inspected for advanced threats.
“More importantly, organizations should prioritize attack surface reduction and strengthening networks against the full range of attacks.”
BISMUTH tries to gain initial access by sending malicious emails specially crafted from a Gmail account that appears to have been created specifically for its campaign.
As affected organizations worked to kick BISMUTH out of their networks, Microsoft’s security researchers saw ongoing activity that involved moving sideways to other devices, dumping credentials, and installing multiple persistence methods.
“This highlights the complexity of responding to a full-blown intrusion and the importance of acting quickly to resolve alarms that signal the early stages of an attack,” the team said.