Dive Brief:
-
Radiflow, a cybersecurity solutions provider, discovered the first documented trace of a cryptocurrency malware attack on supervisory control and data acquisition servers (SCADA) in utilities, according to a company announcement. Radiflow found that cryptomining occurred on a water utility's operation technology (OT).
-
The malware causes device CPU and network bandwidth to increase, according to the report. As a result, the malware hinders the response time of tools monitoring physical OT network changes.
-
Five of the water utility company's servers were compromised and computers on an OT network runs "sensitive" applications that are unable to obtain current Windows or security updates/patches, said Yehonatan Kfir, CTO at Radiflow, in the announcement. To mitigate vulnerabilities, an intrusion detection system should be implemented that "passively monitors" activity within OT networks, according to the announcement.
Dive Insight:
Research into how far the mining malware has reached is still ongoing. However, researchers believe that the malware was retrieved through a web browser. Researchers were then able to see the malware spread internally infect server to server, said Ilan Brada, CEO of Radiflow, in an interview with CIO Dive.
While the infrastructure of utility companies' OT is often outdated and therefore vulnerable, it is unknown if the water company's network was a specific target. It was most likely an "accident" after some hackers were scanning "the internet [to] look for processing resources and this was just the one," said Brada.
It's all about the computing power for cryptojacking. Malicious actors need to find an entry point because "it's easier to do it with someone else's processing resources and not your own," said Brada. Just last week, a mining botnet stole $3.6 million worth of cryptocurrency using the EternalBlue exploit. The hackers established 25 hosts on nodes on Windows servers.
Though utility companies have easily-exploitable servers with good processing power, anyone can be susceptible to cryptomining.
Having the right safeguards in place, whether firewalls or intrusion detection systems, will help to "immediately [raise] an alert that [there] is some abnormal evolution of the network," said Brada. "Then if you react fast enough, you should be in a good position."