Two worlds have collided in the latest compromise of an OT (operational technology) environment, in a case in which the Monero cryptocurrency is being mined on SCADA systems.
The research by SCADA security firm Radiflow found critical servers used to monitor water and sewage treatment being compromised by miners generating the untraceable cryptocurrency Monero, and sending it over existing connections to the malware writers.
This highlights a number of interesting points: compromise of critical infrastructure not for destruction, espionage or nation-state-sponsored aims, but for the more commodity-based goal of currency mining. It also shows that, with infection vector yet to be fully determined, OT systems can be targeted for mining malware installation successfully, perhaps due to less monitoring of systems set up to perform a singular, defined purpose - and also to leverage the latent processing ability of these systems. The research indicates that the mining malware was more sophisticated than a simple browser-based program, and also spread across multiple servers using SMB exploits.
Compromise of this type of monitoring hardware by means of currency miner isn't done specifically to destroy the servers or interrupt the water supply control, but can have a knock-on effect on CPU and network bandwidth consumption - with the secondary impact of interference with the systems the machines were configured to control.
Thankfully the damage in this instance was limited, but a directed compromise of a sewage treatment plant hardly bears thinking about...
SCADA security outfit Radiflow claimed today it found the software nasty lurking in computer systems at a water treatment facility. Several operational servers used to monitor and regulate critical water supplies were found to have been infected with code that secretly harvested Monero cyber-dosh and sent the coins over the internet to its masterminds. "Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator," said Yehonatan Kfir, chief tech officer at Radiflow.