HCGH: Cryptojacking
How Crypto Gets Hacked - Jack your computer, Jack your coins.
Disclaimer: I’ll be talking about individual crypto projects in this series but this is for informational purposes only and not a solicitation to buy or sell any cryptoassets.
Do your own due diligence.
On July 19th, 2021, the White House came out with a press release, which stated that the People’s Republic of China was behind various malicious cyber attacks, including something they called “crypto-jacking.”
The United States is deeply concerned that the PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit. As detailed in public charging documents unsealed in October 2018 and July and September 2020, hackers with a history of working for the PRC Ministry of State Security (MSS) have engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain.
With state-sponsored cyberattacks on the rise, the US administration has said they want to tackle all cyber crimes, which includes expanding cryptocurrency analysis in order to find these criminals. Although, in this case and others, state actors could also coordinate these cyber attacks.
But what is cryptojacking exactly?
Cryptojacking is when a hacker is able to gain access to your computer and downloads crypto-mining software code. Then the software runs in the background and begins mining crypto on your computer without your permission. A user can unwittingly download the crypto-mining code by clicking on a link or by getting infected through a shared network (like the cloud). Some cryptojacking software can even be run through your browser alone (as we will see). The software operates in the background without the user knowing. It starts mining cryptocurrencies using CPU power and creating CPU performance issues for the owner, sometimes small enough that the owner doesn’t even notice.
And it’s not new. I found out that this problem has been happening since 2017, when a company with a noble goal accidentally created a popular Monero-mining malware that anyone could use.
The concept was first created by a service called CoinHive, which was originally trying to create an alternative to using banner ads. Their idea was the website owner could download a Javascript file onto their webpage, and this file would allow them to mine monero cryptocurrency inside the visitor’s browser. This way the site owner could still earn income without having to use banner ads. Unfortunately, it never caught with websites, because it would make visitor’s CPU usage go through the roof when they visited the site.
But some other “enterprising individuals” found a use for it: using others hardware to mine monero for the hacker. From all of the cases I looked up, they all use the monero cryptocurrency. Why THAT particular cryptocurrency? For one thing, it mines its native monero cryptocurrency using CPU power, something much more widely available on every computer. Also, unlike Bitcoin, where all transactions are traceable and public for anyone to see, Monero can’t be tracked. On the Monero blockchain, it obscures who the sender and receiver were as well as how much was transacted at the time, making it nearly impossible to track anyone who sends or receives monero coins. Its creators wanted to make the digital equivalent of cash, and who loves using loads of untraceable bills more than criminals?
The CoinHive script was a popular tool for hackers to mine Monero on other computer systems until they shut down the project in 2019. But that didn’t stop hackers from creating their own similar malware to steal CPU’s for mining power.
There was Smominru, and Prometei, and Graboid, and Facexworm, and Crackonosh, and Outlaw, and Badshell, WannaMine, PowerGhost or….
I think you get the picture. There’s a lot of them.
Today, there are many ways companies are fighting back against cryptojacking.
For all of the top cybersecurity firms, this is a known issue. Look up “What is cryptojacking?” and every cyber security firm will pop up explaining what it is and how they can help protect you from it.
In April 2021, Intel and Microsoft announced a collaboration to detect and stop cryptojacking attacks on enterprise systems:
Starting today, Microsoft Defender for Endpoint expands its use of Intel® Threat Detection Technology (Intel® TDT) beyond accelerated memory scanning capabilities to activate central processing unit (CPU) based cryptomining machine learning (ML) detection. This move further accelerates endpoint detection and response for millions of customers without compromising experience.
Still, it has become such a widespread issue that even the US government is getting involved to help protect US citizens and companies from it. Palo Alto Network’s Unit 42 has been tracking many of these cryptojacking attacks, and came out with a research report in April, 2021 that found:
“Globally, 23% of organizations with cloud workloads experienced cryptojacking from July through September 2020, compared to only 17% from December 2020 through February 2021, according to our findings,” the report states.
At least that number’s going down right?
And the US’ fears are not only because of China. North Korea has been using similar techniques to fund the country for years. In 2020, a report found that North Korea had been stepping up efforts to use monero cryptojacking for income:
North Korea is stepping up mining of the privacy coin monero as the regime continues its efforts to circumvent sanctions.
U.S. cybersecurity firm Recorded Future said in a report Sunday that network traffic for monero (XMR) mining that had originated from North Korean IP ranges had increased by “at least tenfold” since May 2019, making it the most popular digital asset to mine and surpassing the regime’s mining activity for bitcoin (BTC).
The report attributes the changing preference for monero to the fact XMR mining can take place on non-specialized machines, such as conventional computers, which lowers operating costs and negates the need to import mining rigs from abroad.
Monero transactions are also anonymous, making it easier for North Korea to “evade attempts to track funds” as well as circumvent sanctions imposed on the regime by the U.S. and the U.N. Security Council, according to Recorded Future.
They act more like a “mafia nation,” using illicit means to make money and get around sanctions. Cryptojacking is just one such method they use with their experienced cyber army. (see the Extra Links below for more stories).
Thoughts:
STOP CLICKING ON LINKS IN MESSAGES IF YOU DON’T KNOW THE ADDRESS OF THE SENDER. And even then, double check. If it’s too brief and something seems off, just don’t do it. Same goes for sketchy links on websites.
Unlike other hacks I’ve discussed on the blog before, this is one that really hits home. It’s not just some crypto coin that a bunch of degens were betting on that ended up being a scam or a case having developers who were in WAY over their heads. This is something that may have affected me and any computer I may have worked on, and I may have not even noticed a difference. I may have unwittingly mined monero for North Korea. That’s scary.
In my opinion, if there is any cryptocurrency the US and other governments should be afraid of, it’s monero and not bitcoin. If the government truly cares about digital assets being used for criminal activity or to fund terrorism or by other state actors to get around sanctions, then it seems like they should target limiting the use of monero.
Russia and North Korea are too militarily weak to attack the US head on, and both have been beefing up cyber warfare divisions for years now. Russia to do things like attack enemy infrastructure like NotPetya in Ukraine and the SolarWinds attack, and North Korea for money like through extensive cryptojacking, theft from exchanges, and a $1B heist from Bangledesh’s national bank. China has been known to use hacking for the purposes of stealing intellectual property or government secrets in the past, like when they stole lots of semiconductor data from Taiwan. According to the US, it seems like they are in it for the money now as well. And even though we may be relatively safer from cryptojacking in the future, the cyber wars are bound to continue.
Seriously, stop clicking on links. I know, I know, I just gave you a bunch of links, but please at least check the pathway before you click. Unless you want to get jacked too.
Extra Links:
What is cryptojacking and how to prevent it.
When Coinhive was shut down in 2019.
Crowdstrike’s explainer of crypto-jacking.
All the findings from Palo Alto Network’s Unit 42 on cryptojacking attacks (there’s a lot of them).
Listen to the BBC’s Lazarus Heist podcast series for more info on how the ruling party in North Korea acts more like organized crime syndicate than a nation. Also check out this one from the New Yorker on North Korea’s hacker army.
I can’t believe you fell for that again. Here’s the real link: