Hacker mines $620K in cryptocurrency under victims' noses

Hacker mines $620K in cryptocurrency under victims' noses

Hijacks network storage devices - and PCs - then puts them to work in the Dogecoin mines

A German hacker generated more than $620,000 in cryptocurrency after hijacking an unknown number of network storage devices and turning them into digital slaves to mine Dogecoin, researchers said today.

"This wasn't unique, we've seen other malware install [cryptocurrency] miners, but we haven't seen anything this big before," said Pat Litke, a researcher at Dell SecureWorks' Counter Threat Unit (CTU). "That was mostly due to the infection vector. He could just walk in the door."

Litke and David Shear, a network security analyst also with SecureWorks, were referring to vulnerabilities in network-attached storage (NAS) systems manufactured by Taiwan-based Synology that the hacker exploited before planting a customized cryptocurrency miner on the devices.

Synology had issued patches for the vulnerabilities shortly after the flaws were made public last September; the hacked NAS systems had not been updated with the fixes.

Unpatched NAS devices were found and exploited, and then their computing and graphical horsepower -- the boxes were computers in all but name -- were set to work generating Dogecoins, an alternative to the better known Bitcoin. Within months, the hacker's network of compromised devices mined over 500 Million Doge, or just over $620,000, Litke said.

Hackers have long targeted cryptocurrency with specialized malware, but almost all of their efforts have targeted existing digital money, primarily Bitcoins, stored in virtual "wallets." In February, Litke and Joe Stewart, director of SecureWorks' malware research, presented their findings on the rapid increase in cryptocurrency-stealing malware at the RSA Conference.

Planting malware to actually create digital funds, however, is a relatively new development, said Litke, and the evidence they collected on the Synology NAS-hijacking showed how lucrative the practice can be. That bodes ill.

"It will become fairly commonplace, even as an afterthought, for [cyber criminals] to add malware miners [to their payloads]," said Shear, who expects other cyber criminals to quickly adopt the strategy. "We're kind of already there. With a big enough botnet, and we're talking big, they could out-hash anyone."

SecureWorks also dug up some other interesting elements of the NAS hijack, including the native language of the hacker (or hackers), and the fact that the mining of Dogecoins couldn't have been exclusively from the compromised storage devices.

The username the firm's researchers found in the malware's configuration file led them to other digital bits, including a Github account, while multiple hacker forums showed that the hacker communicated exclusively in German.

And the Synology NAS systems weren't the only devices mining for ill-gotten gains, said Litke. "It had to be more than just the NAS boxes," he said, citing tests he and Shear had done on a Synology system to determine how efficient it was in creating Dogecoins. Combining that with other clues they uncovered, they determined that the NAS devices had to have had help, probably from hijacked PCs.

"It's not feasible that the NAS boxes did this alone," Litke concluded. "That means there was other hashing power at play. But what those were, how many there were, how many boxes there were, we can't tell."

Although the Synology devices came to the attention of SecureWorks because users reported that their systems were consuming a high number of CPU cycles, attackers could easily modify their code to be more surreptitious, making it harder for victims to notice that their machines, PCs or otherwise, were secretly working on someone else's behalf.

"We've seen malware that can detect when the system is being used, and then throttle back," said Litke. "Then when the device becomes idle again, the malware throttles up."

That kind of behavior has long been used by legitimate software, including projects that rely on the collective power of large numbers of PCs to do heavy computational lifting. The SETI@home initiative, for example, has used more than a million PCs -- whose owners have opted in by downloading and installing a small program -- to analyze radio telescope data in the search for signs of extraterrestrial intelligence. That software would engage only when the host system was idle.

SecureWorks has published more information about the Synology NAS hijacking on its website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

ARN Survey on MSPs
ARN needs to profile the Managed Service Provider (MSP) in YOU!, so please spare a moment and TAKE THE MSP SURVEY NOW

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingDellnetwork-attached storageNetworked StorageDell SecureWorkse-commercestoragee-businessinternet



IN PICTURES: Klikon Solutions Charity Golf Day (+51 images)

IN PICTURES: Klikon Solutions Charity Golf Day (+51 images)

Klikon Solutions held a Charity Golf Day out at Macquarie Links in Sydney to help raise money for charities Ronald McDonald House and Save our Sons. ARN was onhand in blistering 39 degree conditions to witness all the worm burners first hand. Pictures by Allan Swann

IN PICTURES: Klikon Solutions Charity Golf Day (+51 images)
IN PICTURES: Exclusive Networks - 007 Spectre night (+18 images)

IN PICTURES: Exclusive Networks - 007 Spectre night (+18 images)

Exclusive Networks, in conjunction with LogRhythm and FireEye, held an event to focus on fighting cybercrime with disruptive technologies at the Hayden Orpheum Theatre in Sydney. As part of the 007 - Spectre film theme, guests were invited to attend in their best James Bond attire. Pictures by Allan Swann

IN PICTURES: Exclusive Networks - 007 Spectre night (+18 images)
IN PICTURES: ARN Roundtable - Data Protection in the Hybrid Cloud (+28 photos)

IN PICTURES: ARN Roundtable - Data Protection in the Hybrid Cloud (+28 photos)

This exclusive ARN roundtable highlighted the opportunities and trends in the data protection market, and how the industry has evolved; examined the unique challenges in the hybrid Cloud environment and the associated customer pain points, and highlighted the growing business opportunities for partners. It was sponsored by EMC. Photos by ARN editorial Director, MIKE GEE.

IN PICTURES: ARN Roundtable - Data Protection in the Hybrid Cloud (+28 photos) is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments