The computer network of the European water supply company was infected with a miner virus

The other day it became known that the company Radiflow, working in the field of cyber security, found a virus-miner in the network of the European water supply company. It is about infecting the servers of the industrial control system SCADA. Such systems have been infected with viruses before (it is worth remembering infection of industrial uranium enrichment systems in Iran and other countries). But for now, nobody has tried to mine cryptocurrency with their help.

This case can be called the first known. “We first discovered the miner’s version of an industrial enterprise’s network,” said the head of Radiflow. In the current situation, the virus with the help of any vulnerability penetrated the system and began to use computing power for the extraction of cryptocurrencies.

As in many other cases, the malware was acquired by Monero - an anonymous cryptocurrency, which has long been popular with various kinds of cybercriminals (but this does not mean that the cryptocurrency itself is bad).
')
Currently, the investigation is at an early stage, but it is already clear that the miner worked on the enterprise network for about three days before the virus was detected. A company that has found third-party software does not advertise the name of the client, indicating only that it is a European organization.

As far as you can understand, the site created by the attackers was the source of the infection. Someone from the company's employees visited this site, as a result of which the virus got into the computer network and then onto the SCADA server. The first was infected with the Human Machine Interface (HMI) element on this network, which was running Windows XP. This OS, despite the cessation of its support by Microsoft, is not going to leave the market of industrial systems, where it has been operating for many years. Replacing it with new versions of the OS is a long and expensive business, so companies prefer to leave everything as it is.

In some cases, such a course of action justifies itself, in others - such as, for example, in the current situation, it does not. For Windows XP, there are security updates covering many vulnerabilities. But an update of industrial systems is extremely rare, fearing that updating something “breaks” or not wanting to waste time on, as it seems to many, an unnecessary update.

Unfortunately, the company that discovered the problem is not aware of how much cryptocurrency was mined for intruders. But there is a recent report by the research group Talos (a division of Cisco), according to which attackers who created the largest known mining mining botnets, earn about $ 1 million per year.

Radiflow was able to detect the miner thanks to its own threat detection system, which was launched on the servers of the European utility organization.

In themselves, miner viruses are becoming increasingly popular and common among cybercriminals. For example, a specialized version of the malware Satori, using vulnerabilities in Claymore Miner , replaces the address of the wallets of the owners of mining equipment with the wallets of intruders. The equipment continues to work as before, nothing changes and in many cases the owner of the equipment simply does not notice anything.

During the work of this virus, attackers managed to earn 3.336721 ETH .

By itself, the Satori virus is a modified version of the Mirai botnet, whose sources are shared. This malware takes control of Internet of Things devices, while acting very effectively. In 2016, the botnet began to develop at a very fast pace. There are other threats online. For example, at the end of last year, cybersecurity experts were able to detect the Network by another powerful malware, which became known as Reaper and IoTroop. It also finds vulnerabilities in the software and hardware of cloud devices, and infects them, turning them into zombies.

Many cryptocurrencies can now be exchanged for a decent amount of fiat money, so attackers come up with new enrichment schemes. Including, by means of infection of industrial systems.