Microsoft said on Monday that Vietnamese government-backed hackers were recently spotted distributing cryptocurrency mining malware alongside their regular cyber-spying toolkits.
The report highlights a growing trend in the cybersecurity industry where a growing number of state-backed hacker groups are also dipping their feet into regular cybercrime operations, making it more difficult to distinguish financially motivated crime from intelligence gathering operations. .
APT32 joins the Monero mining landscape
Tracked by Microsoft as Bismuth, this Vietnamese group has been around since 2012 and is best known by codenames like APT32 and OceanLotus.
For most of its life, the group has spent its life orchestrating complex hacking operations, both overseas and within Vietnam, with the aim of gathering information to help its government deal with political, economic and of foreign policy.
But in a report released late Monday night, Microsoft says it recently observed a shift in the group’s tactics over the summer.
“In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam,” Microsoft said.
It’s unclear why the group made this change, but Microsoft has two theories.
The first is that the group uses crypto-mining malware, usually associated with cybercrime operations, to mask some of its attacks by rescuers and trick them into believing their attacks are random, low-priority intrusions.
The second is that the group is experimenting with new ways to generate revenue from the systems that have infected part of their regular cyber espionage-centric operations.
Other state-sponsored groups also attack for personal gain
The latter theory also fits into a general trend observed in the cybersecurity industry, where, in recent years, Chinese, Russian, Iranian, and North Korean state-sponsored hacking groups have also attacked targets for the sole purpose of generating money for personal purposes. . earnings, rather than cyber-espionage.
The reasons for the attacks are simple and have to do with impunity. These groups often operate under the direct protection of their local governments, both as contractors and as intelligence agents, and also operate within countries that have no extradition treaties with the United States, allowing them to carry out any attacks they wish and know. which bear hardly any of the consequences.
With Vietnam also lacking an extradition treaty with the United States, Bismuth’s expansion into cybercrime is considered a given for a country that is predicted to be “on the edge” of becoming a future cybercrime hub and a major cyber espionage actor in the next decade.