A hacker repeatedly hijacked traffic headed for networks belonging to large hosting companies including Amazon, Digital Ocean, and OVH, redirecting cryptocurrency miners’ connections to collect $83,000 over four months this year.
This is according to researchers at Dell SecureWorks Counter Threat Unit, who documented 51 compromised networks from 19 different Internet service providers (ISPs) from February to May 2014.
According to researchers, miners talked about the suspicious activity that was occurring on mining systems connected to the wafflepool.com mining pool.
“Several users in this forum and other cryptocurrency forums noticed similar activity — mining systems mysteriously redirected to an unknown IP address that answered with the Stratum protocol,” the researchers said. “Once connected to this IP address, miners continued to receive work but no longer received block rewards for their mining efforts. Hijackers harnessed miners’ hashing power by redirecting legitimate mining traffic destined for well-known pools to a malicious server masquerading as the legitimate pool.”
Researchers believe the attacks went unnoticed since the hijacker only redirected traffic in small bursts.
A report by InformationWeek’s DarkReading said that it was believed that the hacker would have needed administrative rights to hijack BGP routes and redirect the mining, so it was likely a former employee of an ISP. The researchers traced the malicious BGP announcements to a single router at a Canadian ISP, the report said.
Former employees can cause security headaches for companies if they aren’t offboarded properly. Last year, a former HostGator employee was charged for installing backdoor to access 2,700 servers.
“BGP peering requires that both networks be manually configured and aware of one another,” researchers said. “Requiring human interaction for proper configuration makes BGP peering reasonably secure, as ISPs will not peer with anyone without a legitimate reason. These hijacks and miner redirections would not have been possible without peer-to-broadcast routes. Although BGP hijacking is possible, the overall threat is minimal.”
The report said that the affected hosting providers have a huge range of IP addresses, and the addresses hijacked were fairly negligible.
In a separate incident in January, hackers lifted AWS login credentials from GitHub and used hijacked cloud instances to mine for bitcoins.