Security firm Radiflow discovered that cryptocurrency mining malware was found in the network of a water utility provider in Europe. The attack is the first public discovery of an unauthorised cryptocurrency miner impacting industrial controls systems (ICS) or SCADA (supervisory control and data acquisition) servers.
Radiflow CEO Ilan Barda told eWEEK that this was the first instance of such a cryptocurrency miner that it had seen in an industrial site.
Multiple crypto jacking attacks have been reported in recent weeks, including a significant attack against YouTube, as well as attacks against un-secured SSH and Oracle WebLogic servers, as attackers have aimed to profit from the rising value of cryptocurrency.
Malware on the utility's server was mining Monero cryptocurrency and it as there for three weeks before anyone noticed. Radiflow is not explicitly identifying the name or the location of the utility, other than noting that it is in Europe.
The cryptocurrency mining malware was likely downloaded from a malicious advertising site by an operator at the water utility who opened a web browser and clicked on an advertising link that led the mining code being installed on the system.
The actual system that first got infected is what is known as a Human Machine Interface (HMI) to the SCADA network, and it was running the Microsoft Windows XP operating system. Barda noted that many SCADA environments still have Windows XP systems deployed as operators tend to very slow to update their operating systems.
There is big money to be made from this sort of hack. Cisco's Talos research group revealed how much money some unauthorised cryptocurrency campaigns earn, with the top five campaigns generating $1.18 million per year.
Radiflow detected the cryptocurrency miner on the utility's network with its iSID industrial intrusion detection system, while monitoring the network. With cryptocurrency mining, the miner endpoints are regularly checking in with the mining pool hosts in order to get new blocks and validate work.