Sometimes a sneaky Monero miner is more than just a sign of a crook.
Cyber-espionage campaigns this summer in France and Vietnam deployed cryptocurrency mining software on victims’ networks to help draw attention away from the hackers’ spying tools, Microsoft says in a new report.
The company’s threat intelligence unit has pinned the activity on an advanced persistent threat (APT) group it calls Bismuth, more commonly known as APT32 or OceanLotus.
“Recent campaigns from the nation-state actor BISMUTH take advantage of the low-priority alerts coin miners cause to try and fly under the radar and establish persistence,” the researchers say in a report released Monday. In this case, the coin miners collected Monero, a cryptocurrency with a reputation for being harder to trace than other digital coins.
The hacking group — which other cybersecurity researchers have linked to the Vietnamese government — has been developing new techniques to break into computers and hide its activities. Last week researchers from Trend Micro reported that it had updated a backdoor aimed at Apple laptops and desktops.
In this case, the mining probably earned the group a few thousand dollars’ worth of cryptocurrency, but the real value was in its skullduggery.
“After deploying coin miners as their distraction technique, BISMUTH then focused much of its efforts on credential theft,” Microsoft says.
The Vietnam-linked hackers are generally interested in high-value information from corporations, governments, educational institutions and human and civil rights organizations — particularly in Southeast Asia and in Vietnam itself. In this case, Microsoft says “there were some commonalities among targets located in Vietnam that Microsoft has assessed to be tied to their previous designation as state-owned enterprises (SOEs).”
That list includes “former SOEs previously operated by the government of Vietnam, entities that have acquired a significant portion of a former SOE, and entities that conduct transactions with a Vietnamese government agency,” Microsoft says. French targets could be associated with those, given the two countries long-standing ties.
The espionage campaigns took place in July and August, Microsoft says, and began with spearphishing emails that showed a distinct knowledge of the targets.
The emails were “specially crafted for one specific recipient per target organization and showed signs of prior reconnaissance. In some instances, the group even corresponded with the targets, building even more believability to convince targets to open the malicious attachment and start the infection chain,” the researchers say.
Once inside, the group used techniques familiar to cybersecurity researchers, including Cobalt Strike and Mimikatz malware, the researchers say.