Microsoft says it has found hackers backed by the Vietnamese government sending cryptocurrency mining malware. The company says the threat actors are packaging the malware in their normal cyber-spying toolkits.
This shows some threat actors who typically work with/for governments are now spreading into non-espionage cyber-attacks. Microsoft points out this blend makes it harder to know if an attack is for spying purposes or motivated by money.
Microsoft says the group Bismuth, or other popular names like OceanLotus and APT32. Known as a Vietnamese-backed cyber cell, the group is a longstanding threat actor in operation since 2012.
As it is government backed, Bismuth usually focuses on creating hacking operations within and outside Vietnam that are designed to extract information from systems. Microsoft says it seems the group has evolved to more mainstream cyber operations.
“In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam,” Microsoft said.
Microsoft says there are couple of potential reasons why Bismuth is making this switch. It is clear the group is taking advantage of the relative ease of crypto-mining tools and exploiting them. These are often low priority security risks, so they are easier to breach:
“Because BISMUTH's attacks involved techniques that ranged from typical to more advanced, devices with common threat activities like phishing and coin mining should be elevated and inspected for advanced threats. More importantly, organizations should prioritize reducing attack surface and hardening networks against the full range of attacks.”
Microsoft adds Bismuth is not alone in transitioning from espionage to traditional cyberattacks. In fact, the company points to a trend where Russian, North Korean, Chinese, and Iranian state-backed groups are also targeting monetary attacks.