A new security report by Microsoft says nation-state hacker group Bismuth is now deploying cryptocurrency-mining malware alongside its regular cyber-espionage toolkits. According to the report, the deployment by Bismuth of Monero coin miners in recent campaigns has provided another way for the attackers to monetize compromised networks. Bismuth is reportedly backed by the Vietnamese government.
Before pivoting to cryptocurrency miners, Bismuth had traditionally targeted human and civil rights organizations both inside and outside Vietnam using sophisticated techniques. However, according to a Microsoft security report, since “cryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation-state actor activity.”
This means crypto miners are not seen as the most sophisticated type of threats and therefore, are not “among the most critical security issues that defenders address with urgency.”
Yet, as the report explains, investigators began observing a change in Bismuth’s tactics back in July 2020. The report says:
In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam.
Although the Microsoft security report acknowledges that Bismuth’s use of coin miners was unexpected, the strategy remains “consistent with the group’s longtime methods of blending in.”
The report adds that “this pattern of blending in is particularly evident in these recent attacks, starting from the initial access stage: spear-phishing emails that were specially crafted for one specific recipient per target organization and showed signs of prior reconnaissance.”
Further, the use of cryptocurrency miners enables Bismuth “to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re ‘commodity’ malware.”
Meanwhile, the same report proffers what it terms “mitigation recommendations for building organizational resilience.” Part of the recommendations includes educating end-users about protecting personal and business information on social media.
The report also encourages users to filter unsolicited communication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and other suspicious activity.
Do you agree with the report’s assessment that cryptocurrency miners are associated with cybercriminal operations? Share your views in the comments section below.