In a first, cryptocurrency miner found on SCADA network

The company, which has branches in Israel, the US and the UK, said it had found the malicious software during a routine inspection and that several servers in the network had been infected with the malware which was mining for the Monero cryptocurrency.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” said Yehonatan Kfir, chief technology officer at Radiflow.

“While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

{loadposition sam08}It appears that the malware got onto the internal networks through the personal machine of an employee who visited a website that was hosting the malware. From there, it spread laterally, using an SMB vulnerability.

“PCs in an OT network run sensitive HMI and SCADA applications that cannot get the latest Windows, anti-virus and other important updates and will always be vulnerable to malware attacks,” said Kfir.

“The best way to address this risk is using an intrusion detection system that passively monitors the communication in the OT network and detects anomalies in real-time caused by such malware.”

Ilan Barda, chief executive of Radiflow, said: “We are very proud to report that our technology has prevented this potentially damaging attack. Given the attractiveness of cryptocurrency mining and its increasing need for processing power, we will not be surprised if we will continue to see such attacks on other OT networks.

“This case emphasises the need for a holistic cyber security solution for OT networks, including access control, intrusion detection and analytics services with the relevant expertise."