Criminal campaign uses leaked NSA tools to set up cryptomining scheme, Trend Micro says

The research is a reminder that it is not just state-sponsored hackers that have reportedly co-opted the leaked NSA tools.
Fake coins with the Monero logo. (Getty)

Since March, criminals have been using hacking tools that were reportedly stolen from the National Security Agency in targeting companies around the world as part of a cryptomining campaign, researchers with cybersecurity company Trend Micro said Thursday.

The broad-brush campaign has hit organizations in the banking, manufacturing and education sectors, among others, Trend Micro says. The criminals are essentially hijacking corporate computing power to harvest the cryptocurrency Monero. It’s hardly a new concept, but in this case it’s a reminder that tools deployed by state-sponsored hackers can also be used by relatively unskilled crooks more interested in making money than in spying.

“Entry-level cybercriminals are gaining easy access to what we can consider ‘military-grade’ tools — and are using them for seemingly ordinary cybercrime activity,” Trend Micro researchers wrote in a blog post.

The attacks are exploiting old versions of Microsoft Windows using a variant of a backdoor based on the EternalBlue exploit, Trend Micro said. EternalBlue is a vulnerability-abusing technique reportedly developed by the NSA that was dumped online in April 2017 by a mysterious group known as the Shadow Brokers. It has since been used in a series of attacks, including the 2017 WannaCry ransomware infections, which compromised computers in over 150 countries and caused billions of dollars in damage. Citing forensic evidence, U.S. officials have blamed the North Korean government for WannaCry.


The NSA has declined to publicly address the Shadow Brokers’ leaks. The New York Times reported last month that criminal hackers had used EternalBlue to spread ransomware on the City of Baltimore’s IT infrastructure. While not addressing the substance of The Times report, NSA senior adviser Rob Joyce has said there was no “indefensible” nation-state-built tool that is responsible for the spread of ransomware and network administrators have a responsibility to patch their systems.

It’s been over two years since Microsoft issued a patch for EternalBlue, but the failure of many businesses to update their systems is still haunting them. The hackers in the campaign flagged by Trend Micro aren’t even targeting specific industries, but are just seeking out organizations that use old software.

The Trend Micro researchers found over 80 files involved in the campaign that are all variants of an open-source tool for mining Monero cryptocurrency. Over half the organizations targeted were in China, India, and Vietnam, according to Trend Micro. Only companies, and not individuals, were sought out. Two U.S. companies were affected by the campaign, one in the tech industry and another in an unidentified sector, according to the researchers.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts