Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attackers Drain CPU Power From Water Utility Plant In Cryptojacking Attack (eweek.com)

Posted by BeauHD on from the first-of-its-kind dept.

darthcamaro writes: Apparently YouTube isn't the only site that is draining CPU power with unauthorized cryptocurrency miners. A water utility provider in Europe is literally being drained of its CPU power via an cryptojacking attack that was undetected for three weeks. eWeek reports: "At this point, Radiflow's (the security firm that discovered the cryptocurrency mining malware) investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Radiflow CTO Yehonatan Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system. The actual system that first got infected is what is known as a Human Machine Interface (HMI) to the SCADA network and it was running the Microsoft Windows XP operating system. Radiflow's CEO, Ilan Barda, noted that many SCADA environments still have Windows XP systems deployed as operators tend to be very slow to update their operating systems." Radiflow doesn't know how much Monero (XMR) cryptocurrency was mined by the malware, but a recent report from Cisco's Talos research group revealed that some of the top un-authorized cryptocurrency campaigns generate over a million dollars per year. The average system would generate nearly $200,000 per year.

10 of 76 comments (clear)

  1. If only... by fisted · · Score: 3, Funny

    If only there was some sort of readily available monitoring software to catch this sort of crap sooner than after 3 weeks.

    --
    CLI paste? paste.pr0.tips!
  2. Need for separate browsing and operations by ArtemaOne · · Score: 4, Insightful

    Come on. Don't run your operational systems on the internet, even if they need to be internet connected. Provide your employees with a separate system connected outside the LAN so that such issues are isolated. Another solution in non-sensitive areas is simply giving them Wi-Fi and access to their phones. All of these solutions present fewer problems than having employees on the operational system infecting the operational network.

    1. Re:Need for separate browsing and operations by Darinbob · · Score: 2

      This should be basic training everywhere. I can certainly understand someone sneaking around the rules and browsing the net using their normal work computer, but it's a severe lapse of responsibility to use a critical production computer to do this browsing.

  3. Re:WINDOWS XP on the INTERNET...???? by jfdavis668 · · Score: 5, Funny

    That's why I stayed with Windows 2000.

  4. Not XP by kackle · · Score: 3, Interesting

    According to the summary, web ads (why aren't those blocked?!) are suspect. Windows XP is mentioned, though, as it's to blame somehow. To me, XP (or any older OS) is the devil you know versus the devil you don't - you can plan for the devil you know. Don't assume XP is automatically worse because we haven't discovered everything about 10, etc. For the technically smug, look at the surprise of Meltdown and Spectre.

    As to why they aren't upgrading everything all the time, I work in water too, and like other such "invisible" industries, it is big and more complex than you may think. Since these sites must function, NO MATTER WHAT, screwing around with one that is working fine is discouraged since each new "project" requires much planning, thought, approval and budgeting.

    In my younger days, in an instant, I brought down a medium-sized city's water supply just by plugging in a serial cable, the large pumps shutting down next to me. The controlling PLC's serial port powered pin #9 (not commonly done) as did the new radio transceiver that I just plugged in. "Did I do that?!!"

    I was fortunate in that shutting pumps off ungracefully can cause severe "water hammer" on the main pipes underground - broken pipes sometimes result. ...From plugging in a serial cable. Desktop jockies don't understand such things.

  5. Why is any SCADA system still Internet-accessible? by adosch · · Score: 2

    I remember hearing the SCADA and industrial hacking news as far back as early 2000's from when I got into the tech world, and even then, always the same take-away: Why are these systems even accessible outside the intranet they exist on? I'd even take it a step further and wonder why there isn't much tamer form of a secured, air gap datacenter approach to this? Anyone who's done or worked with building automation systems or even went to a tech school for SCADA operation knows this shit doesn't have to exist and be set up that way.

    I actually wondered what the hit-rate of SCADA attacks was, and I had no idea there was an online database of them that goes way back into the early 90's. And exposure to the internet is harder to hide from, shoot, most don't even have to try if they are using Shodan.

    I think that's the real issue and always has been. That really-old-Windows-OS-and-the-word-crypto-buzzword phrasing is just a tech journalism shock-jock plug to lighten the heat from the real problem.

  6. Dumb Firewall by JBMcB · · Score: 2

    Seems simple to me. SCADA systems shouldn't be controllable over the internet, or by anything connected to the internet. For remote control used leased lines. Hardly anyone uses ISDN or leased 56k lines anymore, so there's an easy solution.

    For monitoring, you can have an internet connected data logger wired into the SCADA system with a serial port. Even if someone manages to hack into the data logger, you can't take over the SCADA system if it's not designed to accept commands over serial.

    I worked for a broadcast company that operated this way. The broadcast equipment could only be controlled by standing in front of the machine, or via a single hardwired remote terminal in the operations room that wans't connected to anything else. It spit out a bunch of system status data over a serial port to an network connected machine, but you couldn't control it that way.

    --
    My Other Computer Is A Data General Nova III.
  7. Re:Can't we just illegalize monero? by Opportunist · · Score: 2

    Great idea!

    While we're at it, maybe we can outlaw malware as well?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Re:I have some past in this strange SCADA world by nitehawk214 · · Score: 2

    The modus operandi of privately owned utility companies: Socialize losses, privatize profit.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  9. Re:Why is any SCADA system still Internet-accessib by Billly+Gates · · Score: 2

    For piracy and to prevent used SCADA sales. They must be on the internet all day to re-activate themselves.

    They also on purpose refuse to support anything after XP on purpose to force repurchases of perfectly good working systems with 7 support. So CFOs buckle and keep XP on instead as a firm of giving them the finger.

    THen the I.T. guy gets blamed when they get hacked because the CFO doesn't want to pay the extortion to throw out a good SCADA controller because the vendor wants more money and you can't be used just to ensure the PC attached gets security updates. Ridiculous.

    There are should be laws as this is part of infrastructure and something both China and RUssia know too well if they want to hurt another country.

    --
    http://saveie6.com/