Monero-Mining Malware Found on SCADA Network

Recently, cryptocurrency-mining malware was discovered on five servers of a water utility company. These affected servers included the Human Machine Interface (HMI) used to control the operational processes of the utility. The malware found its way onto a server via an indirect connection to the internet. A computer used to access the HMI remotely was also used to navigate to a website that delivered the cryptocurrency miner; the malware then spread across the internal network to other servers. The malware was discovered by an intrusion detection system (IDS) monitoring the operational technology (OT) network of the utility’s customer. The utility site was subsequently disconnected from the internet and the network will be reconfigured to improve firewalling and implement better segmentation. This incident highlights the risks associated with having any internet connection, direct or indirect, to an OT network and how vital it is to properly secure remote connections to internal networks. Cryptocurrency-mining malware has become a significant problem in the last several months and can severely affect a network’s operations; however, this incident could have had more devastating impacts if the malware installed had been ransomware or other malware that could be used to maintain persistence in the company’s operational network. The NJCCIC recommends all critical infrastructure organizations review the HelpNet Security article on this incident, ensure they use a defense-in-depth approach to secure both their business and operational networks, and employ best practices including, but not limited to, deploying and properly configuring firewalls and IDS/IPS, implementing network segmentation, using multi-factor authentication for network access, and using secure methods for remotely accessing any internal networks.