Microsoft links Vietnamese state hackers to crypto-mining malware campaign

Vietnamese state hackers imitate Chinese groups and start making money on the side while spying for their government.
Written by Catalin Cimpanu, Contributor

Vietnamese government-backed hackers have been recently spotted deploying cryptocurrency-mining malware alongside their regular cyber-espionage toolkits, Microsoft said on Monday.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The report highlights a growing trend in the cyber-security industry where an increasing number of state-backed hacking groups are also dipping their toes into regular cybercrime operations, making it harder to distinguish financially-motivated crime from intelligence gathering operations.

APT32 joins the Monero-mining landscape

Tracked by Microsoft as Bismuth, this Vietnamese group has been active since 2012 and is more widely known under codenames like APT32 and OceanLotus.

For most of its lifetime, the group has spent it orchestrating complex hacking operations, both abroad and inside Vietnam, with the purpose of gathering information to help its government deal with political, economic, and foreign policy decisions.

But in a report published late Monday night, Microsoft says it has recently observed a change in the group's tactics over the summer.

"In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam," Microsoft said.

It is unclear why the group made this change, but Microsoft has two theories.

The first is that the group is using the crypto-mining malware, usually associated with cybercrime operations, to disguise some of its attacks from incident responders and trick them into believing their attacks are low-priority random intrusions.

The second is that the group is experimenting with new ways of generating revenue from systems they infected part of their regular cyber-espionage-focused operations.

Other state-sponsored groups also hacking for personal gains

This last theory also fits into a general trend seen in the cyber-security industry, where, in recent years, Chinese, Russian, Iranian, and North Korean state-sponsored hacking groups have also attacked targets for the sole purpose of generating money for personal gains, rather than cyber-espionage.

The reasons for the attacks are simple, and they have to do with impunity. These groups often operate under the direct protection of their local governments, either as contractors or intelligence agents, and they also operate from within countries that don't have extradition treaties with the US, allowing them to carry out any attack they want and know they stand to face almost none of the consequences.

With Vietnam also lacking an extradition treaty with the US, Bismuth's expansion into cybercrime is considered a given for a country that's expected to be "on the edge" to become a future cybercrime hub and a major cyber-espionage player in the next decade.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards