Cryptomining group Kinsing expands operations to Russia, researchers warn
Russian cybersecurity researchers said the Kinsing hacker group has launched a large-scale wave of cyberattacks aimed at hijacking Russian computers for cryptocurrency mining.
In a report last week, Russia-based cybersecurity firm F6 said the attacks began in April and infected devices with Kinsing and XMRig malware, tools commonly used to mine the cryptocurrency Monero. F6 did not disclose which companies were targeted.
Kinsing, also known as H2Miner and Resourceful Wolf, has been active since 2019 and is one of the most prolific groups engaged in so-called cryptojacking. Instead of phishing, the hackers scan company networks for vulnerabilities in widely-used software and exploit them to install malicious code.
In the latest campaign, attackers attempted to exploit CVE-2017-9841, a critical flaw in the popular PHP testing framework PHPUnit. The vulnerability, patched in 2017 but still present in outdated systems, allows hackers to remotely execute code and take full control of servers.
While most Kinsing attacks have historically been recorded in North America, Western Europe and Asia, F6 said this is the first time it has observed large-scale activity in Russia. It found no evidence of the group targeting companies elsewhere in Eastern Europe.
The discovery comes amid a broader rise in cryptomining campaigns in Russia. In June, another group known as Rare Werewolf deployed XMRig on hundreds of Russian computers, including at industrial enterprises and engineering schools, with additional infections reported in Belarus and Kazakhstan. In September, Russian cybersecurity firm F.A.C.C.T. documented a separate campaign delivering XMRig to Russian businesses through malicious email auto-replies.
“The case of Kinsing attacks on Russian companies highlights the need to defend against even rare and unusual cyber threats, as criminal groups are not limited by industry or geography and can strike users anywhere in the world,” said Vladislav Kugan, an analyst at the threat intelligence unit of F6.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.