Thought leadership. threat analysis, news and alerts.
How to Find Out If Your Organization’s Resources Are Illicitly Used for Crypto Mining
Ukraine’s National Nuclear Energy Generating Company, also known as Energoatom, a state enterprise operating all four nuclear power plants in Ukraine disclosed that a recent search carried out inside one of Ukraine’s nuclear power plants revealed that a power plant employee had installed his own computer equipment inside the plant for cryptocurrency mining. This incident shows the danger of employees stealing their employers’ resources for cryptocurrency mining.
What Is Cryptocurrency Mining?
Cryptocurrency mining, also known as crypto mining, is the process of validating transactions and for these transactions to be added to the list of all transactions known as the blockchain. Anyone with a computer and an internet connection can become a cryptocurrency miner.
Some cryptocurrencies can be mined using small and low processing power computers such as Raspberry Pi. Other cryptocurrencies such as Bitcoin can only be mined using specialized computers with high computing power. In exchange for the computing power and electricity used for mining, miners get rewarded with cryptocurrency.
As cryptocurrency mining is power-hungry, especially the top cryptocurrencies like Bitcoin, high electricity bill is one of the obstacles why many don’t venture into this field. To remedy this high electricity bill hurdle, malicious actors illicitly steal power from their employers and even from strangers. Aside from stealing electricity, malicious actors also steal from employers or strangers computing power of computers that can process a significant amount of data faster than ordinary computers.
The illicit stealing of electricity at one of Ukraine’s nuclear power plantsisn’t the first time that an employee has been caught stealing an employer’s resources for cryptocurrency mining. In February 2018, nuclear weapons engineers at the All-Russian Research Institute of Experimental Physics were arrested for mining cryptocurrencies at the workplace.
Unlike the cryptocurrency mining at one of Ukraine’s nuclear power plants which only stole the plant’s electricity as the accused installed his own computer equipment, the crypto mining incident at the All-Russian Research Institute of Experimental Physics used not only the facility’s electricity but the office computer as well. Tatyana Zalesskaya, head of the research institute’s press service confirmed to Interfaxthat there had been an unauthorized attempt to the institute’s “computing power for personal purposes, including for the so-called mining”.
Employees aren’t the only one interested in your organization’s computer power for crypto mining, unknown external attackers are also after your organization’s computer power. Attackers steal computing power in the process called “cryptojacking”.
In cryptojacking, malicious actors, which could be either be insiders or outsiders, in order to earn cryptocurrency, install a crypto mining software into vulnerable systems, including websites, operating systems or public cloud accounts.
In February 2018, researchers at RedLockreported that Tesla was once a victim of cryptojacking. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” researchers at RedLock said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.”
In May this year, researchers at Guardicore Labsreported that over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors were compromised for crypto mining.
Illicit crypto mining isn’t only a threat to large organizations or businesses. This type of attack also threatens small and medium-sized organizations. In late 2018, a school principal in China was fired after stealing the school’s electricity to mine cryptocurrency. The South China Morning Postreported that the fired school principal deployed inside the school 8 computers used for mining the cryptocurrency Ethereum for about a year, racking up an electricity bill of 14,700 yuan, equivalent to US$2,120.
Ways to Monitor Crypto Mining and Preventive Measures
Here are some security measures in order to monitor crypto mining activities within your organization’s premises and also ways to prevent this threat to occur in your organization:
An unusual increase of electric bill is a sign that computers operating within your organization’s premises are being used for cryptocurrency mining.
Somewhere lurking in your organization’s premises could be computers used for cryptocurrency mining and racking up your organization’s electricity bill.
If your organization’s computers are functioning a bit slower than usual, this could be a sign that your organization’s computers are being used for illicit cryptocurrency mining.
Malicious actors in recent months have learned how to be stealthy in their crytojacking activities, such as mining only cryptocurrencies that use less computer power and electricity to deflect suspicion. For instance, the crytojacking incident which compromised 50,000 servers reported by Guardicore Labs in May this year, mined a relatively new cryptocurrency called “Turtlecoin”, a cryptocurrency that can be mined even in small and low processing computers such as Raspberry Pi.
Monitoring network traffic is one of the ways in discovering this type of stealth crytojacking activities. Access to your organization's network from unknown locations and during non-working hours are telltale signs of a network compromise and possible illicit cryptocurrency mining.
Lastly, practice basic cyber hygiene such as keeping your organization’s operating systems up-to-date and using multi-factor authentication as gate-keepers to these computers and servers. In many cases, computers and servers are compromised for illicit cryptocurrency mining by the mere failure of applying the latest security update and the used of weak login details and lack of multi-factor authentication.
When you need help, contact our teamof experts to mitigate the cybersecurity risks for your organization.
Steve E. Driz, I.S.P., ITCP