Active since 2012, APT32 or OceanLotus has been known for complex hacking operations that had the main purpose of intelligence gathering both inside Vietnam and against other countries. In a new report by Microsoft, they claim to have linked APT32, or Bismuth as tracked by Microsoft, to a new crypto-mining campaign. The report from Microsoft outlined how over the summer they saw a change in the group’s tactics. The group deployed Monero crypto miners in France and Vietnam that targeted the private and governmental sectors of both countries. Microsoft cited two theories behind this change in tactics. The first theory is that the group is trying to disguise some of their other intelligence-gathering operations with generic cyber-crime attacks such as these. The second theory is that they are experimenting with new forms of revenue-generating attacks.
Some other state-backed threat actors, most notably North Korean groups, have made the transition to start carrying out cyber-crime attacks instead of only intelligence gathering. Carrying out cyber-crime attacks such as these allow the group to disguise some of their attacks and make it harder for analysts to track the group. An alternate theory for why government-backed threat groups would choose to mine Monero cryptocurrency is that Monero allows the threat actors to pay for leased server infrastructure anonymously, making it harder for investigators to trace. Another reason some groups have made the shift for revenue-generating attacks is because many of them work on behalf of their host country, which gives them a sense of immunity from prosecution. And since many of the countries do not have extradition treaties with the United States, there is no way to stop the expansion of cyber-crime in these countries. To prevent attacks like these, defenders should have monitoring in place such as Binary Defense’s Managed Detection and Response to identify and prevent these attacks. Anyone using a personal computer should have anti-virus installed on their machine to identify these attacks or other cryptocurrency mining malware.
More can be read here: https://www.zdnet.com/article/microsoft-links-vietnamese-state-hackers-to-crypto-mining-malware-campaign/