Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

First Confirmed Cryptocurrency Attack on SCADA Network

Thursday, February 15, 2018 By

Utility companies set to face crypto-mining malware threat to critical infrastructure management systems


The first confirmed crypto mining malware attack on a SCADA system has been confirmed, raising the spectre of other attacks on critical infrastructure.

The attack focussed on the network of a wastewater site of a utility company, thought to be based in the US. According to reports, the SCADA malware is designed to mine Monero on HMI and SCADA servers, and had successfully compromised several servers on the network before being detected by a Radiflow monitoring tool.

The researchers spotted unusual network activity, including unexpected HTTP communications and changes to the topology of the OT network as well as communication attempts with suspicious IP addresses, which lead to the discovery of the malware. They found that the cryptocurrency malware was designed to run in a stealth mode and disable its security tools in order to operate undetected and maximize its mining processes for as long as possible.

First Confirmed Cryptocurrency Attack on SCADA Network

Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” said Yehonatan Kfir, CTO, Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.

The threat posed to SCADA systems by crypto mining malware could be significant, given the attacker’s aim to sweep up as much processing power as possible into their mining operation, which could potentially leave vital infrastructure with significantly diminished resources to respond to real world challenges.

Ilia Kolochenko, CEO, High-Tech Bridge commented that the issue is having broader consequences: “With the steady growth and popularity of digital currencies, we shall expect continuous and persistent growth of attacks targeting the wallets and/or installing malware to mine the coins.

Unlike credit cards, PayPal or bank accounts, digital currencies are a unique opportunity for cybercriminals to use stolen [digital] money without risk of being halted or having their money frozen. Law enforcement and governments have virtually no control over digital coins and cannot intervene in the game at the moment. Therefore, using all previously available and some emerging techniques of phishing and drive-by-download attacks, cyber criminals will likely focus their efforts on crypto currencies in the near future.

The attack may be the first SCADA-based crypto-mining effort to be officially documented, but attacks on other networks have been rising fast. In recent days more than 4,000 websites including the UK Information Commissioner's Office (ICO) and other government sites, including USCourts.gov, the Financial Ombudsman Service (financial-ombudsman.org.uk) and a string of otherwise respectable government sites were hacked in order to force users to mine Monero via their browsers.

Separately, it was recently disclosed that the Smominru cryptocurrency botnet, has infected 526,000 machines and generated as much as $3.6 million as a result. The scale and power of the botnet implies that it is extracting a heavy penalty in hardware usage and electricity costs from the unknowing businesses hosting it, according to researchers.

It seems pretty likely that crypto-mining malware and stealthy drive-by mining techniques will continue to be a feature throughout 2018, unless enterprise (supported by the cybersecurity industry) really steps up...

Mark Mayne has covered the security industry for more than 15 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment

High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share