Water utility hit by crypto mining malware

Getting your Trinity Audio player ready...

Radiflow, a security firm specializing in SCADA (supervisory control and data acquisition) servers, has reported an attack on the network of a water utility provider based in Europe. The disclosure established a precedent in industrial-scale data control systems and critical infrastructures, given the nature and intent of its execution: cryptocurrency mining.

“This is the first instance of such a cryptocurrency miner that we have seen in an industrial site,” said Radiflow CEO Ilan Barda. Often labelled as “cryptojacking,” attacks such as these have been growing in number in relation to the hyperactive markets that cryptocurrencies have fueled since their inception almost a decade ago.

“We found malware on the utility’s server that was mining Monero cryptocurrency,” said Yehonatan Kfir, CTO at Radiflow.

The CTO explained that Radiflow’s disclosure is only an initial assessment, as the investigation is still ongoing. Thus far, the investigation has determined that the mining software has been installed into the water utility’s network protocols for over three weeks before it was identified and mitigated. As a matter of protocol, Radiflow has not disclosed any particular facility’s location, only revealing that’s somewhere in Europe.

While inconclusive, the disclosure speculates that the malware was likely acquired through an advertising site or element. This speculation is supported by logs showing that the first contact with the infection was through an HMI (Human Machine Interface) running an old operating system. Limited evidence suggests that the cryptocurrency malware wasn’t able to get past the initial point of infection. Kfir notes the initial findings are uncertain whether it was a targeted attack against this company or against SCADA systems in general.

With the entire crypto space now floating at a valuation of $400 billion in total market cap, attacks based on intentions to gain or mine cryptocurrency have proliferated. A recent example is the vulnerability found on Oracle’s point-of-sale systems. This opened risks to at least 300,000 businesses using the WebLogic server. The hack reportedly sifted $226,000 worth of Monero (XRM), a cryptocurrency leveraged by cybercriminals for its “incognito” features. Recent reports have also highlighted how North Korean hackers have been spreading Python-based injection code via Secure Shell (SSH) channels to mine cryptocurrency.

A report by Cisco’s Talos intelligence research group estimated that unauthorized cryptocurrency mining generates an average of $1.18 million annually, with the trend likely to increase in the coming years. While leading cryptocurrencies like Bitcoin Cash experience a bullish resurgence in Q1 2018, users trading and transacting in the secure network are advised to stay vigilant in relation to such threats and implement security measures on their end.