Cyber Threat Actor: Kinsing
| Actor Type | Location | Known Incidents |
Criminal
|
China
|
2 incidents |
|---|
Profile
The threat actor is known publicly by the aliases Kinsing and H2Miner.
Attribution to a specific nation‑state or criminal consortium has not been established, though open‑source reports associate the actor with China.
The actor’s activity has been observed against a search provider (Algolia), a certificate authority (DigiCert), and other organizations that exposed SaltStack services to the internet.
These victims span multiple sectors, indicating targeting based on the presence of vulnerable Salt infrastructure rather than industry focus.
The demonstrated strategic objective is financial gain through the deployment of cryptocurrency miners, with no public evidence of data theft, espionage, or intentional disruption as a primary goal.
Service interruptions have occurred as a side effect of the mining activity, but the actor’s main motive remains monetization.
Initial access is achieved by exploiting the remote code execution flaws CVE‑2020-11651 and CVE-2020-11652 in SaltStack installations.
Successful exploitation grants root‑level control of Salt masters, which the actor leverages to execute arbitrary commands across connected minions.
From this privileged position the actor deploys a backdoor to maintain persistence and uses the compromised systems to run unauthorized computational workloads.
The May 2020 campaign that affected Algolia, DigiCert and numerous other entities exemplifies this TTP set and represents a notable publicly reported operation.
