Full Report
Kaspersky Lab has recorded an increase in the number of attacks involving cryptocurrency miners on the infrastructure of industrial enterprises, which started in September 2017. Miners can interfere with industrial process control and threaten process stability.
Analysis Summary
As the provided article snippet is extremely brief and lacks specific incident details (dates, attack vectors, scope, response actions), the following report will be synthesized based **only on the general context provided in your initial prompt** and typical reporting structures for cryptomining incidents in Industrial Control Systems (ICS). The timeline section will reflect the overall observation period mentioned in the context.
# Incident Report: Surge in ICS Cryptomining Attacks (Sept 2017 Onward)
## Executive Summary
Beginning in September 2017, Kaspersky Lab observed a significant increase in attacks deploying cryptocurrency miners against Industrial Control Systems (ICS) infrastructure. These infections risked process stability and could interfere with critical industrial process control functions. The overall scope involved over 3% of monitored ICS computers globally during the observation period.
## Incident Details
- Discovery Date: Ongoing observation starting from September 2017
- Incident Date: Attack wave starting September 2017
- Affected Organization: Multiple enterprises globally (No specific organization named)
- Sector: Industrial/Manufacturing/Critical Infrastructure
- Geography: Global (Based on Kaspersky monitoring scope)
## Timeline of Events
*(Note: Specific dates are unavailable; this reflects the observed trend progression.)*
### Initial Access
- Date/Time: Commencing September 2017
- Vector: Likely exploited vulnerabilities in perimeter systems, weak credentials, or drive-by downloads targeting personnel accessing corporate networks connected to ICS.
- Details: Attackers capitalized on unpatched systems or successful phishing campaigns to gain an initial foothold near or within the industrial network segment.
### Lateral Movement
- Details: Once initial access was achieved, miners likely utilized network shares or known vulnerabilities to persist and spread laterally, attempting to find high-power or frequently running hosts within the operational technology (OT) environment.
### Data Exfiltration/Impact
- Details: The primary impact was the unauthorized utilization of CPU/GPU resources to mine cryptocurrency. A secondary, significant impact was the potential for these resource-intensive processes to cause instability, latency, or outright failure in sensitive ICS processes that rely on predictable timing.
### Detection & Response
- Date/Time: Detected via monitoring and telemetry feeds (Kaspersky ICS CERT)
- Details: Detection was achieved through security monitoring solutions identifying high CPU utilization patterns typical of cryptomining malware, or specific signatures associated with known mining software. Response would necessitate isolating infected hosts and cleaning systems to restore process stability.
## Attack Methodology
Since detailed forensics on a specific victim are unavailable, this section reflects common vectors used in observed cryptojacking targeting enterprise environments that spread to ICS environments:
- Initial Access: Exploitation of public-facing services, RDP brute-forcing, or phishing/malicious attachments targeting workstation users on the IT network adjacent to OT.
- Persistence: Installation of common mining software clients (e.g., XMRig variants) configured to restart automatically, often hiding within legitimate-looking processes.
- Privilege Escalation: Common enterprise methods to elevate privileges to install/run the miners without administrative rights.
- Defense Evasion: Utilizing "fileless" techniques or disguising miners as standard utilities; often relying on the perceived low security standards of ICS environments to avoid immediate detection.
- Credential Access: Not the primary goal, but potentially secondary if access to administrative workstations was gained.
- Discovery: Basic network enumeration to identify high-value targets (HMIs, Engineering workstations).
- Lateral Movement: Standard Windows protocols (SMB, RDP) used to spread the miner payload.
- Collection: N/A (Focus was resource abuse, not data theft).
- Exfiltration: N/A (Only mining pool communication is required).
- Impact: Resource exhaustion, process instability in OT environments.
## Impact Assessment
- Financial: Increased operational costs due to excessive power consumption; potential costs associated with process downtime or required emergency maintenance.
- Data Breach: Likely low, as the primary goal was resource utilization, not exfiltration of sensitive PII or proprietary data.
- Operational: **High potential risk** due to direct interference with ICS processes, potential for premature hardware failure due to sustained high load, and latency introduction.
- Reputational: Dependent on the severity of any resulting operational failure.
## Indicators of Compromise
*(Indicators are generalized based on cryptomining campaigns)*
- Network Indicators: Outbound connections to known cryptocurrency mining pools (e.g., pool.monerod.io, stratum+tcp://[IP_ADDRESS]:[PORT]).
- File Indicators: Presence of executables like `svchost.exe` or `powershell.exe` running miner payloads, or executables resembling known XMRig or Claymore miners.
- Behavioral Indicators: Sustained, unusually high CPU usage (consistently 80-100%) on servers or workstations, particularly during off-hours, without corresponding legitimate job output.
## Response Actions
- Containment measures: Immediate isolation of infected hosts from the corporate network and, crucially, from the process control network (if they were bridged).
- Eradication steps: Removal of all persistent mining software instances, registry entries, scheduled tasks, and checking system integrity due to potential unauthorized modifications.
- Recovery actions: System restoration from known-good backups for critical endpoints, patching exploited vulnerabilities, and verification that process controls are operating normally without resource contention.
## Lessons Learned
- Monitored 3.3% of ICS computers were targeted, indicating ICS is a viable target perimeter for financially motivated, seemingly low-complexity attacks (cryptojacking).
- The primary threat of cryptominers in ICS is operational disruption, not data theft. Increased monitoring of host resource utilization within OT environments is critical.
## Recommendations
- **Network Segmentation:** Strictly enforce segmentation between IT and OT environments to prevent miners successfully entering the IT space from reaching control systems.
- **Patch Management:** Prioritize patching on all publicly accessible or shared hosts adjacent to ICS networks.
- **Behavioral Monitoring:** Deploy monitoring tools within the OT environment capable of alerting on sustained, illegitimate high CPU utilization patterns, as traditional antivirus/AV is often insufficient or disallowed on critical controllers.