When crypto-mining malware hits a SCADA network

Stealthy crypto-mining is on track to surpass ransomware as cybercriminals’ most favorite money-making option, and companies with computers and servers that run all day and night long are the preferred targets.

crypto-mining malware hits SCADA network

This could be more than just a nuisance to the companies – it could seriously affect business operations and render some companies unable to operate for days and even weeks.

In some instances, namely when the companies are part of critical infrastructure, the consequences may be more severe than in others.

Monero-mining malware on servers of a water utility company

Industrial cybersecurity vendor Radiflow shared with Help Net Security the most recent example of such an incident.

The company has recently discovered Monero-mining malware on five servers of a water utility company located in Europe. These servers included the HMI (Human Machine Interface), which was also the control server of the physical processes of the company.

“These PCs had some indirect connectivity to the Internet for remote monitoring,” Yehonatan Kfir, CTO at Radiflow, explained to us. “It seems that one of these was wrongly used for browsing to a site with the malware and from there it was spread to the internal network to several other servers.”

The company discovered the attack as part of a routine and ongoing monitoring of the OT network of the water utility customer.

Its industrial intrusion detection system raised the alarm after identifying several abnormalities, including unexpected HTTP communication attempts with suspicious IP addresses and changes to the topology of the customer’s OT network (from a tree-like topology that is typical for SCADA networks to a more star-like topology where several servers communicating with many external IP addresses of crypto miner pools).

“As an immediate mitigation, the entire site was disconnected from the Internet,” Kfir shared. “We will design the improved setup in a few days, but it will likely include improved firewalling on the Internet link and better segmentation inside the site.”

Luckily, the operation of the utility wasn’t affected but had the malware been ransomware the attack could likely have had more of a negative impact on business operations.

Crypto-mining malware attacks are a serious problem

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” Kfir noted.

“While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

This particular instance of crypto-mining malware was also designed to disable security tools on the target systems to operate undetected. But, in general, PCs in an OT network run sensitive HMI and SCADA applications that cannot get the latest Windows, antivirus and other critical updates and will always be vulnerable to malware attacks, Kir pointed out.

Radiflow CEO Ilan Barda said that given the attractiveness of cryptocurrency mining and its increasing need for processing power, they would not be surprised to see such attacks on other OT networks.

“This case emphasizes the need for a holistic cybersecurity solution for OT networks, including access control, intrusion detection and analytics services with the relevant expertise,” he added.

For the moment, this seems like a non-targeted attack that hit as part of a broader search for online resources. Still, the company’s research team is still in the middle of a more in-depth analysis of the overall site activity, and they might change their assumption about the specific targeting.

They are also still investigating the cause of the infection, to discover which vulnerability (if any) was exploited to install the crypto-mining malware. Local regulatory authorities have also been informed of the incident and are cooperating in the investigation.