Microsoft links Vietnamese hackers to cryptomining malware

Microsoft has revealed that Vietnamese government-backed hackers are deploying cryptocurrency-mining malware alongside their regular cyber-espionage toolkits.

The report highlights a growing trend in the cyber-security industry where an increasing number of state-backed hacking groups are also dipping their toes into regular cybercrime operations, making it harder to distinguish financially-motivated crime from intelligence gathering operations.

Tracked by the Microsoft 365 Defender Threat Intelligence Team as Bismuth, the Vietnamese group has been active since 2012 and is more widely known as APT32 and OceanLotus.

“BISMUTH has been running increasingly complex cyber-espionage attacks as early as 2012, using both custom and open-source tooling to target large multinational corporations, governments, financial services, educational institutions, and human and civil rights organisations,” Microsoft said in a blog post late on Monday.

In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam.

“The campaigns from the nation-state actor BISMUTH take advantage of the low-priority alerts coin miners cause to try and fly under the radar and establish persistence,” the Microsoft team announced.

Because BISMUTH’s attacks involved techniques that ranged from typical to more advanced, devices with common threat activities like phishing and coin mining should be elevated and inspected for advanced threats.

“More importantly, organisations should prioritise reducing attack surface and hardening networks against the full range of attacks”.

BISMUTH attempts to gain initial access by sending specially crafted malicious emails from a Gmail account that appears to have been made specifically for its campaign.

As the affected organisations worked to evict BISMUTH from their networks, Microsoft security researchers saw continued activity involving lateral movement to other devices, credential dumping, and planting of multiple persistence methods.

“This highlights the complexity of responding to a full-blown intrusion and the significance of taking quick action to resolve alerts that flag initial stages of an attack,” said the team.