Unauthorized crytocurrency mining attacks, sometimes referred to as “cryptojacking” have found a new target – operational technology used in critical industrial infrastructure.
Security firm Radiflow, discovered that cryptocurrency mining malware was found in the network of a water utility provider in Europe. The attack is the first public discovery of an unauthorized cryptocurrency miner impacting industrial controls systems (ICS) or SCADA (supervisory control and data acquisition) servers.
“This is the first instance of such a cryptocurrency miner that we have seen in an industrial site,” Ilan Barda, CEO of Radiflow, told eWEEK.
In a cryptojacking attack, cryptocurrency mining code is deployed without authorization on a system or a network. Mining is the computation process that is executed by participating systems as part of a mining pool to create or discover coins Multiple cryptojacking attacks have been reported in recent weeks, including a large attack against YouTube, as well as attacks against un-secured SSH and Oracle WebLogic servers, as attackers have aimed to profit from the rising value of cryptocurrency.
“We found malware on the utility’s server that was mining Monero cryptocurrency,” Yehonatan Kfir, CTO at Radiflow told eWEEK.
Kfir explained that Radiflow is still in the early stages of the investigation, but so far has been able to determine that the cryptocurrency mining software was on the water utility’s network for approximately three weeks before it was detected. Radiflow is not specifically identifying the name or the location of the utility, other than simply noting that it is in Europe.
At this point, Radiflow’s investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system. The actual system that first got infected is what is known as a Human Machine Interface (HMI) to the SCADA network and it was running the Microsoft Windows XP operating system. Barda noted that many SCADA environments still have Windows XP systems deployed as operators tend to very slow to update their operating systems.
Kfir noted that Radiflow does not currently know how much Monero (XMR) cryptocurrency was mined by the water utility infection. A recent report from Cisco’s Talos research group revealed how much money some un-authorized cryptocurrency campaigns earn, with the top five campaigns generating $1.18 million per year.
Detection
Radiflow was able to detect the cryptocurrency miner on the utility’s network with its iSID industrial intrusion detection system, while monitoring the network. With cryptocurrency mining, the miner endpoints are regularly checking in with the mining pool hosts in order to get new blocks and validate work.
Cryptocurrency mining software does not steal data from a network, rather it consumes compute cycles. Kfir said that the impact on the utility was degraded system performance, though given the size of the overall network and where the HMI systems connected, it might not have been a degradation that operators would have noticed on their own.
There is also limited evidence that the cryptocurrency malware was able to spread from the initial point of infection to other systems on the utility’s networks. Kfir noted that the investigation is still ongoing to determine the full impact.
“We’re not sure if this was a targeted attack against this company or against SCADA systems in general,” Kfir said.
Looking forward, Barda said that his company is now proactively looking for cryptocurrency miners on ICS/SCADA networks. Radiflow also has an analytics service which can potentially help to uncover other attacks.
“We’re working on enhancing our existing tools to detect attacks,” Barda said. “Our conclusion is also that additional analytics tools is something that is valuable to detect attacks like this.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.