Confirmed cryptocurrency attack on SCADA network
13 February 2018 | 0
The first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator has been reported.
Cybersecurity solutions for critical infrastructure vendor Radiflow, has said that it discovered the attack as part of routine and ongoing monitoring of the operational technology (OT) network of a US water utility company. The attack infected several servers in the OT network in order to mine the Monero cryptocurrency.
Such cryptocurrency malware attacks increases device CPU and network bandwidth consumption, causing the response times of tools used to monitor physical changes on an OT network, such as HMI and SCADA servers, to be severely impaired, said Radiflow. This, in turn, reduces the control a critical infrastructure operator has over its operations and slows down its response times to operational problems.
The report comes as it was revealed that several Irish government and public sector web sites were the subject of cryptocurrency malware injection due to a compromised plug-in.
The research team determined that this cryptocurrency malware was designed to run in a stealth mode on a computer or device, and even disable its security tools, in order to operate undetected and maximise its mining processes for as long as possible.
“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” said Yehonatan Kfir, CTO, Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”
The cryptocurrency malware attack was discovered by the vendor’s industrial intrusion detection system, while monitoring the network of the waste water site of the utility company. It identified, and alerted in real-time, several abnormalities, including unexpected HTTP communications and changes to the topology of the customer’s OT network, as well as communication attempts with suspicious IP addresses.
“PCs in an OT network run sensitive human-machine interface (HMI) and SCADA applications that cannot get the latest Windows, antivirus and other important updates and will always be vulnerable to malware attacks,” said Kfir. “The best way to address this risk is using an intrusion detection system that passively monitors the communication in the OT network and detects anomalies in real-time caused by such malware.”
Radiflow said its research team is continuing to investigate the events surrounding this malware attack in close cooperation with regulatory authorities.
“Given the attractiveness of cryptocurrency mining and its increasing need for processing power, we will not be surprised if we will continue to see such attacks on other OT networks,” said Ilan Barda, CEO, Radiflow. “This case emphasizes the need for a holistic cybersecurity solution for OT networks, including access control, intrusion detection and analytics services with the relevant expertise.”