Bismuth

Description

(Microsoft) BISMUTH, which shares similarities with APT 32, OceanLotus, SeaLotus, has been running increasingly complex cyberespionage attacks as early as 2012, using both custom and open-source tooling to target large multinational corporations, governments, financial services, educational institutions, and human and civil rights organizations. But in campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam. Because BISMUTH’s attacks involved techniques that ranged from typical to more advanced, devices with common threat activities like phishing and coin mining should be elevated and inspected for advanced threats. More importantly, organizations should prioritize reducing attack surface and hardening networks against the full range of attacks. In this blog, we’ll provide in-depth technical details about the BISMUTH attacks in July and August 2020 and mitigation recommendations for building organizational resilience.

Names

Name	Name-Giver
Bismuth	Microsoft
Canvas Cyclone	Microsoft

Country

• Vietnam

Motivation

• Information theft and espionage
• Financial gain

First Seen

2012

Observed Sectors

• Education
• Financial
• Government

Observed Countries

• France
• Vietnam

Information

• https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/

Other Information

Uuid

9adbce9a-231f-4bd0-a104-03324899afa8

Last Card Change

2023-04-26