The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT

TeamTNT is a well-documented threat actor that has been actively targeting cloud infrastructure since 2019, primarily engaging in cryptojacking activities, which involve mining cryptocurrency on compromised systems without the owner's consent. Using tools like ParrotOS and leveraging vulnerabilities in platforms such as Redis, Docker, and Kubernetes, TeamTNT has executed large-scale campaigns like "Dockergeddon" and "Chimaera," compromising over 10,000 devices. The group's operations are financially motivated, taking advantage of the anonymity provided by privacy-focused cryptocurrency Monero, making it difficult to trace their transactions. Despite the challenges in tracking their activities, Sysdig's Threat Research Team has identified about $8,100 in cryptocurrency profits attributed to TeamTNT, though the actual financial damage to victims is much higher, estimated at $430,000, due to the high cost of cloud resources consumed during the mining process. TeamTNT's approach showcases the growing threat of cryptomining in cloud environments, a low-risk yet profitable venture that continues to challenge cloud security measures.