WIRED reports on how cryptojacking has been found in operational technology assets in a European water utility:
Radiflow CEO Ilan Barda says the company had no idea it might discover a malicious miner when it installed intrusion detection products on the utility’s network, particularly on its inner network, which wouldn’t usually be exposed to the internet. “In this case their internal network had some restricted access to the internet for remote monitoring, and all of a sudden we started to see some of the servers communicating with multiple external IP addresses,” Barda says. “I don’t think this was a targeted attack, the attackers were just trying to look for unused processing power that they could use for their benefit.”
Industrial plants may prove an enticing environment for malicious miners. Many don’t use a lot of processing power for baseline operations, but do draw a lot of electricity, making it relatively easy for mining malware to mask both its CPU and power consumption. And the inner networks of industrial control systems are known for running dated, unpatched software, since deploying new operating systems and updates can inadvertently destabilize crucial legacy platforms. These networks generally don’t access the public internet, though, and firewalls, tight access controls, and air gaps often provide additional security.
Security specialists focused on industrial control, like the researchers at Radiflow, warn that the defenses of many systems still fall short, though.
“I for one have seen a lot of poorly configured networks that have claimed to be air gapped but weren’t,” RedTeam Security’s Cardacci says. “I am by no means saying that air gaps don’t exist, but misconfigurations occur often enough. I could definitely see the malware penetrating crucial controllers.”
As attackers grow in sophistication, so will their attacks. It should come as no surprise to see this type of malware having made its way into OT networks. If an OT network can be penetrated, attackers will find a way to leverage those assets, whether it is for hactivism, politics, to cause damage, or to even mine cryptocurrency.