Cryptojacking malware discovered running on critical infrastructure control systems

Radiflow reports that they discovered cryptojacking software — malware that mines cryptocurrency — running in the monitoring and control network of an unnamed European water utility, the first such discovery, and a point of serious concern about the security and integrity of critical infrastructure to both targeted and untargeted attacks.


The control systems for factories, utilities and other infrastructure are notoriously insecure, since they consist of a mix of physically remote computers than can't be readily accessed for updates; brittle aggregations of technologies of several different vintages that may stop working altogether if one element is patched; and computers that are assumed to be airgapped (isolated from the internet) and thus considered immune to information attacks.


Cryptojacking represents a tantalizing opportunity for criminals, who are always on the hunt for ways to turn compromised systems and cash; last weekend's compromise of thousands of systems with cryptojacking scripts was an example of how an easy monetization path incentivizes hackers to find new targets for malware.

Infrastructure systems are a great host for parasitic CPU-hogging malware; typically they already consume huge amounts of electricity, allowing the mining activity to disappear into the background, and they are often idle, tripped only when systems break down. Unfortunately, this means that infections that might critically slow or hang these systems can go undiscovered until they are called to avert catastrophe — and fail.

Radiflow is still assessing the extent of the impact, but says that the attack had a “significant impact” on systems. The researchers note that the malware was built to run quietly in the background, using as much processing power as it could to mine the cryptocurrency Monero without overwhelming the system and creating obvious problems. The miner was also designed to detect and even disable security scanners and other defense tools that might flag it. Such a malware attack increases processor and network bandwidth usage, which can cause industrial control applications to hang, pause, and even crash—potentially degrading an operator’s ability to manage a plant.

"I'm aware of the danger of [malware miners] being on industrial control systems though I've never seen one in the wild,” says Marco Cardacci, a consultant for the firm RedTeam Security, which specializes in industrial control. “The major concern is that industrial control systems require high processor availability, and any impact to that can cause serious safety concerns."


Cryptojacking Found in Critical Infrastructure Systems Raises Alarms [Lily Hay Newman/Wired]