Actor: 8220 Gang

Names: 8220 Gang, 8220 Mining Group

Country: [Unknown]

Motivation: Financial gain

First-seen: 2017

Description: (Trend Micro) 8220 Gang (also known as “8220 Mining Group,” derived from their use of port 8220 for command and control or C&C communications exchange) has been active since 2017 and continues to scan for vulnerable applications in cloud and container environments. Researchers have documented this group targeting Oracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and misconfigured Docker containers to deploy cryptocurrency miners in both Linux and Microsoft Windows hosts. The group was documented to have used Tsunami malware, XMRIG cryptominer, masscan, and spirit, among other tools in their campaigns.

Operations: 2021-05

Operations: 8220 Gangs Recent use of Custom Miner and Botnet https://www.lacework.com/blog/8220-gangs-recent-use-of-custom-miner-and-botnet/

Operations: 2022-07

Operations: 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/

Operations: 2022-10

Operations: 8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/

Operations: 2022-11

Operations: 8220 Gang Continues to Evolve With Each New Campaign https://sysdig.com/blog/8220-gang-continues-to-evolve/

Operations: 2023-05

Operations: 8220 Gang Evolves With New Strategies https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html

Information: https://blog.talosintelligence.com/cryptomining-campaigns-2018/

Information: https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/the-8220-gang-targeting-cloud-providers/

Last-card-change: 2023-06-21

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi