Nation-state hacker group uses mining techniques to stay hidden

Nation-state hacker group uses mining techniques to stay hidden
Written by:
Jinia Shawdagor
December 2, 2020
  • BISMUTH has been operational since 2012 but only started using XMR miners recently.
  • Per the Microsoft threat intelligence team, crypto miners are not considered serious threats.
  • Educating end-users about protecting personal data is one of the ways to curb such attacks.

BISMUTH, a nation-state threat actor, is taking advantage of crypto mining techniques to disguise its attacks, according to the Microsoft 365 Defender Threat Intelligence team. The team unveiled this news through a report on November 30, noting that the hacker group is now releasing crypto-mining malware alongside its regular cyberespionage toolkits.

According to the report, BISMUTH has been running sophisticated cyberespionage attacks since 2012, leveraging both custom and open-source tools. The group has reportedly been targeting large multinational corporations, governments financial services, educational institutions, and human and civil rights organizations. However, BISMUTH’s most-recent attacks have taken on a new shape, according to the Microsoft threat intelligence team. For instance, the team highlighted the group’s July to August 2020 attacks, noting that the group launched monero (XMR) miners, targeting both private and government institutions in France and Vietnam.

Are you looking for fast-news, hot-tips and market analysis? Sign-up for the Invezz newsletter, today.

Explaining how BISMUTH managed to carry out these attacks, the Microsoft 365 Defender Threat Intelligence team said,

“Cryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation state actor activity. They are not the most sophisticated type of threats, which also means that they are not among the most critical security issues that defenders address with urgency.”

As such, the group took advantage of the low-priority alerts of crypto miners to try to establish its persistence while flying under the radar.

Blending in to create trust with targets

According to the Microsoft 365 Defender Threat Intelligence team, BISMUTH’s operational goal of establishing continuous monitoring and extracting useful data when it surfaces remained unchanged. However, the use of XMR miners opened a gateway for other attackers to monetize compromised networks. The team admitted that the use of crypto miners was unexpected. Nonetheless, the team was quick to add that the move was consistent with the group’s method of blending in.

The threat intelligence team went to note that,

“This pattern of blending in is particularly evident in these recent attacks, starting from the initial access stage: spear-phishing emails that were specially crafted for one specific recipient per target organization and showed signs of prior reconnaissance. In some instances, the group even corresponded with the targets, building even more believability to convince targets to open the malicious attachment and start the infection chain.”

Per the report, the use of crypto miners allowed BISMUTH to hide more harmful activities behind threats that many systems passed off as commodity malware. The publication went on to advise that when dealing with commodity banking Trojans that bring-in human-operated ransomware, network operators should treat malware infections with urgency as they can indicate the onset of more sophisticated attacks.

Effective means of curbing such attacks

Outlining some of the ways that organizations can build up resilience against such attacks, the report noted that networks should educate their end-users about shielding their personal and business information on social media. The report also recommended that users should configure Office 365 email filtering settings, turn on surface reduction rules, disallow macros or only allow macros from known locations, and check perimeter firewall and proxy settings to restrict servers from making arbitrary connections to the internet.

On top of this, the publication suggested that users should enforce strong, randomized administrator passwords, use multi-factor authentication, and avoid the use of domain-wide, admin level service accounts.