Cyberespionage APT group hides behind cryptomining campaigns


Level 70
Content Creator
Malware Hunter
Aug 17, 2014
An advanced threat group called Bismuth recently used cryptocurrency mining as a way to hide the purpose of their activity and to avoid triggering high-priority alerts.
Bismuth’s regularly targets human and civil rights organizations, but its list of victims includes multinational companies, financial services, educational institutions, and entities in the government sector.
The actor has been running cyberespionage operations since at least 2012. Its attacks have increased in complexity since then, combining custom tools with freely available ones.

In recent campaigns, though, Bismuth launched Monero coin miners on compromised systems belonging to private and government organizations in France and Vietnam.
Microsoft detected the attacks that occurred in July and August, saying that the cryptojacking activity did not change the actor’s objective, continuing to monitor and steal information of interest.
“The use of coin miners by BISMUTH was unexpected, but it was consistent with the group’s longtime methods of blending in” - Microsoft