The Case of the Crypto Miners: When Attackers Use Deception

Cyber Deception and UK Businesses

What do you do when sophisticated attackers disguise themselves as low-priority threat actors to more easily deliver a dangerous payload? I want to take security leaders back to a news story that broke in the preceding months and got overshadowed by the huge Solar Winds news. This story also involves a breach, as well as attackers who maintained persistence on the network. Neither of these events is, unfortunately, rare.

So, I have a simple question for the purposes of this blog: when are we going to change how we protect networks? Overwhelming evidence points to the fact current approaches are simply not good enough. Do we carry on following the same approach and hope it’s not us next, or do we try and take a more intelligence-led approach to protecting our corporate infrastructure?

Don’t Make Risk Assumptions

I can hear some readers think immediately, “Why would I be the focus of any nation-state threat actor group? I don’t have anything of value, and I’m not a high-profile organisation.” That may well be the case, but all of those statements are based on assumptions and not rooted in any hard data. This highlights an important point: Do not allow your security posture to be led by assumptions. Your security posture needs to be informed by intelligence. Assumptions will only lead to undesirable and unforeseen consequences which we know senior stakeholders hate, even more so in an economic environment where instability is the new normal.

You may well be the focus of nation state threat actors because access to your infrastructure may allow access to the organisation that is the intended target. Who you do business with is critical. You may be a pivot point for the attackers.

Nation-State Actors & Crypto Miners

One does not normally associate crypto mining with nation-state threat actors. Crypto miners normally result in a low-priority alert for some organisations. Why? Generally, they are regarded as a nuisance as they normally do little more than utilise system resources. This provides an opportunity for attackers to try and use deceptive techniques to pass off sophisticated attacks under the guise of a crypto attack. What they are doing is using deception to deliver their payload. This is yet another example of how attackers seem to adopt new approaches with much greater foresight than those who are defending corporate networks. Adaptive behavioural traits is a skill set that all senior security leaders should consider adopting.


That jumble of letters refers to a nation-state threat actor group that used this very deceptive technique to breach a range of both private and public sector entities and extract data for many months. How did the attack play out? Well, it began with spear phishing attacks—but not your usual run of the mill mass spam runs. One individual from each target organisation was sent a spear phishing email. Interestingly, in some instances, the attackers engaged in correspondence with the targeted individual. This was highly unusual and something that was not widely observed before this attack took place.

This highlights a very interesting point with respect to the spear phishing component of the attack. The everyday approach to dealing with this type of attack is to try and block the attacks. However, when attackers are adapting their behaviour to focus on one individual and crafting very specific attacks, the block and drop approach is likely to fail, as it did in this instance. The attackers were actually involved in an extended conversation with the victim, and at no point did the victim come to the realisation they were being socially engineered. In fact the attackers increased the chances that their victim would click on malicious links in the email chain, whilst simultaneously reducing the chance they would be spotted; as the email exchange would look legit to security processes. The ability to take spear phishing attacks and derive detailed intelligence about what is behind them is critical to an organisation’s security posture in 2021. Block, drop and forget may well lead to correspond, click and compromise.

Attack Path

In the case of Bismuth, the spear phishing attack resulted in a malicious DLL’s being dropped on the targeted machine, which connected back to a command-and-control server, which in turn led to the dropping of further files. This customised malware used the same names as a legitimate Microsoft word DLL. The objective here was to load malicious code into a legitimate process. Once this was done, the attack played out following the traditional framework: discovery, lateral movement, further discovery and intelligence gathering. PowerShell commands were then used to dump the credentials of the SAM database, after which the attackers deleted PowerShell event logs to remove evidence of their activity. At each step of the attack cycle, there was a wealth of digital footprints left behind, but because processes and DLL’s are renamed and blended in to look like day-to-day traffic they were not detected. Could they have been detected?

A Potential Solution

One possible approach to detecting all of those TTPs and IOCs that were left behind would have been through the use of deception technology. Traditional thinking would be to deploy the deception environment internally, but at this point the attackers are already inside the network. What if we could deploy that infrastructure externally and engage the attackers so that they engage with the deception environment, leaving behind a rich stream of intelligence? This could be used by analysts to tweak current monitoring and security tools to ensure that the attacker’s presence would be detected. IOC’s uncovered by deception and delivered in real time within the context of attacks against your infrastructure is intelligence that is timely, contextualised, and actionable.

CounterCraft Cloud offers a spear phishing campaign that’s easy to buy and low-friction to use. You can start using our cloud infrastructure to redirect spear phishing attacks away from your users and into our deception environment. CounterCraft Cloud can collect the TTPs and IOCs that the spear phishers leave behind. Get access to that intel immediately, before you have been breached, and put it to work immediately across your organisation, giving a security uplift.

Whenever valuable new defensive techniques come along, organisations will ask themselves if they are mature enough or ready for them. The question that an intelligence-led organisation should ask is: how can I use these new defensive techniques to deliver better security to my business stakeholders. It is never about maturity. It is more about a mindset: adopting an adaptive one that will help defend your organisation. CounterCraft makes it easy to deploy deception-based threat intel gathering for organisations of any maturity level, via CounterCraft Cloud.

Modern organisations must become intelligence-drivenn adaptive cybersecurity organisation.

This is what is needed to survive the combined risks posed by economic uncertainty and ever-aggressive threat attackers.

Like Jim Morrison said, this is the end. But you can...