Security Experts:

Has Your Company's Infrastructure Been Hijacked by Bitcoin Miners?

Crypto-mining Malware Exposes Organizations to a Host of Monetary and Reputational Risks

With Bitcoin prices reaching a record high in December, cryptocurrencies have been dominating media headlines. While most choose to invest or trade in cryptocurrencies and bide their time while the prices rise, others find that the real money lies in mining it. And with the current reward at 12.5 bitcoins for mining one block of bitcoin transactions, it is clear why crypto-mining is a lucrative pursuit.

However, due to the enormous amount of required computing power, it’s almost impossible to profitably mine Bitcoin on commodity hardware such as laptops, smartphones, or desktop computers. It takes much too long and, in most cases, the cost of electricity is higher than the anticipated revenue. Profits from crypto-mining are therefore inextricably tied to the cost of electricity, with higher energy costs meaning a cut in profit margins.

Perhaps unsurprisingly, this has led some to take shortcuts in the search for power sources - individuals and organizations are now being breached by cyber-criminals seeking to take advantage of corporate infrastructures. In the past 6 months alone, we have detected and intercepted over 1,000 incidents of cryptocurrency mining.

Across these incidents, we’ve seen eager crypto-mining attackers surreptitiously penetrate corporate networks by spear phishing, or sneakily planting malware on websites, allowing the malware to spread laterally through a network. Irrespective of the threat vector, the end-goal is the mobilization of an army of crypto-mining machines – a cyber-threat that is notoriously difficult to catch.

Crypto-mining incidents happen daily. In one incident, an employee at a manufacturing company had unwittingly downloaded malware, which initiated a channel of communication between the employee’s machine and a collection of servers appearing to come from Eastern Europe. The suspect connection was followed by hundreds of anomalous downloads and command & control communication. Upon inspection, it became clear that the external connections were bitcoin mining pools and a foreign cyber-attacker was attempting to leverage the corporate infrastructure for computing power.  

But the threat isn’t always external. In another recent example, a highly acclaimed law firm had a bitcoin mining incident on their network. It transpired that a legal summer intern was illicitly using the law firm’s infrastructure to mine bitcoins; slowing down the network for all of the lawyers working on billable projects.

Although this new breed of cyber-criminal may not be maliciously trying to obtain sensitive customer data or steal corporate secrets, crypto-mining exposes organizations to a host of monetary and reputational risks. A breach could mean astronomical electricity costs, inefficient business processes, and reputational damage. Imagine the infrastructure of a financial institution that is openly against unregulated cryptocurrencies is revealed to have been used for crypto-mining. The hypocrisy would have major reputational ramifications for the organization and would surely result in loss of business. In light of these risks, the opportunity cost of ignoring cryptocurrency mining as a threat to your business is simply too high.

But how can we identify the early warning signs of a crypto-mining breach? Perimeter defenses, which are rigidly programmed to detect known ‘bad’ have consistently fallen short at catching this type of threat. Simply, traditional security tools were not designed with cryptocurrency mining attacks in mind.

AI-powered cyber defense offers the best chance to detect and fight back against crypto-mining attacks – this technology can catch not only new anomalous behavior, but can also understand if a threatening presence is already in operation in your network. Capable of learning what is ‘self’ and what is ‘other’ for every user and device, this AI technology can identify and neutralize crypto-related incidents before they have time to cause material or reputational harm.

Detecting subtle deviations from normal ‘patterns of life’ is critical to identifying crypto-mining. Computers running slowly may indicate more than just aging technology: it could be the symptom of crypto-mining programs running on stolen company infrastructure. And while a rogue device connecting to rare destinations would go undetected by a firewall or antivirus, it could be the first sign of a foreign presence infiltrating a network in pursuit of crypto-mining. In both instances, AI would be able to spot the deviations from normal behavior and alert security teams in real time.

As long as the value of cryptocurrencies continues to grow, the incentive for attackers and malicious insiders to monetize powerful corporate infrastructures via crypto-mining will grow. With new cryptocurrencies, known as ‘altcoins’, emerging nearly every day, cryptocurrencies and the threats that accompany them are clearly more than just a phase – they are here to stay. AI technologies that can spot these forms of subtle attack already exist, enabling security teams to stay ahead of profit-hungry insiders and external attackers.

RelatedWhere to Look for Mining Malware and How to Respond

view counter
Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. With over 10 years of experience in cyber defense, Fier has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Fier is a highly-skilled technical officer, and a specialist in cyber operations across both offensive and defensive arenas.