Connect with us


Microsoft Threat Intelligence Team Says Cyber Thieves Using Crypto Asset Monero As Decoy While Attacking Nation States



The Microsoft Threat Intelligence Center (MSTIC) says that a nation-state hacker group is using crypto mining malware and other advanced tools to cover up nefarious attacks.

The group known as BISMUTH initially used open-source and custom tools to target multinational corporations, human rights organizations, and financial institutions among others, says Microsoft in a new report.

Since then, the group has been deploying more and more complicated techniques to fly under the radar and cover up malicious activities, as evident in their latest attacks in July and August this year, in which they deployed Monero (XMR) coin mining trojans to target private and public institutions in France and Vietnam.


BISMUTH attacks emphasize hiding in plain sight, notes Microsoft. By deploying coin miners as a distraction technique, Bismuth could hide its other activities behind less-alarming threats.

“While this actor’s operational goals remained the same – establish continuous monitoring and espionage, exfiltrating useful information as is it surfaced – their deployment of coin miners in their recent campaigns provided another way for the attackers to monetize compromised networks.”

Microsoft warns that users should be on the lookout and protect themselves from the usual tactics deployed by BISMUTH.


“Because BISMUTH’s attacks involved techniques that ranged from typical to more advanced, devices with common threat activities like phishing and coin mining should be elevated and inspected for advanced threats. More importantly, organizations should prioritize reducing attack surface and hardening networks against the full range of attacks.”

To build resilience against these types of attacks, Microsoft says organizations should focus on configuring email filters to block phishing and spoofed emails, spam, and emails with malware. The tech giant also recommends educating users, disabling macros, and restricting servers from making any arbitrary connection.

News Source