Nationwide hacker group uses mining techniques to remain hidden

Bismuth, a nation-state actor in the field of threats, uses crypto-mining techniques to disguise its attacks, according to the Microsoft 365 Defender Threat Intelligence Team. The team unveiled this news in a report on November 30th in which it noted that the hacker group is now releasing crypto-mining malware in addition to its regular cyber-spy toolkits.

It says BISMUTH has been conducting sophisticated cyber-spy attacks using both custom and open source tools since 2012. The group has reportedly targeted large multinational corporations, financial services from governments, educational institutions, and human and civil rights organizations. However, according to the Microsoft Threat Intelligence Team, the latest attacks by BISMUTH have taken a new shape. For example, the team highlighted the group’s attacks from July to August 2020 and found that the Monero Miners (XMR) group had targeted private and government institutions in France and Vietnam.

The Microsoft 365 Defender Threat Intelligence team explained how BISMUTH carried out these attacks,

“Cryptocurrency miners are typically associated with cybercriminal operations, not with sophisticated nation-state actors. They are not the most sophisticated type of threat, which also means that they are not among the most critical security problems that defenders address with urgency.

As such, the group used the warnings of low-priority crypto-miners to try to determine their persistence while flying under the radar.

Fade in to build confidence with the targets

According to the Microsoft 365 Defender Threat Intelligence team, BISMUTH’s operational goal remained to establish continuous monitoring and extract useful data when it appears unchanged. However, the deployment of XMR miners opened a door for other attackers to monetize compromised networks. The team admitted that the use of Crypto-Miners was unexpected. However, the team quickly added that the move was consistent with the group’s method of monetizing.

The threat intelligence team took note of this,

“This pattern of interference is particularly evident in these recent attacks, beginning with the initial access phase: spear phishing emails, specifically created for a particular recipient per target organization, showing signs of prior intelligence. In some cases, the group even corresponded with the targets, making them even more credible in convincing them to open the malicious attachment and start the chain of infection.

According to the report, by using Crypto-Miners, BISMUTH was able to hide even more malicious activity behind threats that many systems passed off as malware. The publication also stated that network operators should treat malware infections with urgency when dealing with Trojans in the commodities business that introduce human-operated ransom demands, as they can indicate the start of more sophisticated attacks.

Effective means to contain such attacks

The report outlined some of the ways in which organizations can build resilience against such attacks, and noted that networks should educate their end users about how to shield their personal and business information in social media. The report also recommended that users configure Office 365’s email filtering settings, enable interface reduction rules, prohibit macros or allow macros from known locations only, and review perimeter firewall and proxy settings to prevent servers from connecting arbitrarily to the Internet.

The publication also suggested that users should enforce strong, randomized administrator passwords, use multi-factor authentication, and avoid the use of domain-wide administrator-level service accounts.