Even the US government can fall victim to cryptojacking

Cryptojacking, the tactic of breaking into a device to steal computing resources and mine crypto, is a pervasive, frustrating and expensive problem. But attacks like these can also raise cybersecurity concerns, especially when they happen to the federal government. 

Last fall, the U.S. Agency for International Development learned it was hit by a cryptojacking incident, according to documents viewed by Scoop News Group. The agency was notified by Microsoft that a global administrator account located in a test environment had been breached through a password spray attack — a brute force attempt to enter a system by guessing a series of passwords. 

That account was then used to create another account — and both were then deployed to begin crypto-mining processes through USAID’s Azure resources. The result was around half a million dollars in cloud service charges to the agency.

Using government resources to break into an agency’s resources for the purpose of mining crypto might sound strange, but it happens. 

In 2018, a cryptomining attack on a web plug-in used to make websites more accessible reportedly impacted government websites in the United Kingdom, as well as in the U.S. and Ireland. 

A different federal agency was also impacted by a similar attack back in 2019, according to a person familiar with the incident. In that case, hackers found an agency’s AWS tokens on a public Github page, which they used to access the agency’s cloud resources. The breach wasn’t successful, the person said. 

In 2022, a joint cybersecurity advisory shared that an Iranian-sponsored advanced persistent threat activity that included, among other nefarious activities, deploying crypto mining software, on a federal civilian executive branch network.

In response to the more recent USAID incident, the system manager called for strict password policies and enforced multifactor authentication for all accounts. The system manager also wiped batch files associated with the attack, as well as deleted the accounts used for the attack. A document viewed by FedScoop noted the agency had begun continuous monitoring of security alerts from the cloud system, which the agency had not previously done. The incident showed the need for stringent security measures, the document said. 

USAID has received consistent “A” grades through the Federal Information Technology Acquisition Reform Act, which measures agencies’ efficiency in IT and software modernization. 

Scoop News Group interviewed experts at several cybersecurity-oriented firms — all of whom spoke generally on the topics of cryptojacking and how test accounts could be used in cyberattacks, rather than the specifics of the USAID incident. 

None of those cyber firms were familiar with a similar attempt on a government website, though cryptojacking is common in the private sector and some experts said they’re likely to impact the government, too. The Cybersecurity and Infrastructure Security Agency referred Scoop to USAID, which did not respond to requests for comment. Microsoft declined to comment. 

Hamish Eisler, an advisory solutions architect at Chainalysis, explained generally how cryptojacking can work. “I’m going to hack somebody’s cloud account, and I’m just going to start spending their resources on it. If somebody else is paying the bills and I hack their account and suddenly start spending a bunch of CPU cycles on it, they’re paying for my effort.” 

Generally, individuals with information technology positions in their title are an attractive starting point for attackers, according to Olesia Klevchuk, director of product marketing at Barracuda. Creating secondary accounts from a privileged account is also strategic, she said, since those secondary accounts may not be well-monitored. 

Generally, monitoring for cryptojacking attacks can be difficult, said Jon Clay, vice president of threat intelligence at Trend Micro.

“One of the things we see a lot of is, they come in, they drop their miners, and then they wipe their tracks of everything they did prior to that. So it’s very difficult,” he said. “They also wipe out and turn off a lot of the security products that are running on these machines.”

Attackers who pursue these stunts tend to be individuals, or criminal gangs who have a business model of mining crypto. Nation states — particularly groups associated with the North Korean government — have also deployed cryptojacking, according to Daniel Blackford, director of threat research at Proofpoint. 

Still, cryptojacking attempts are primarily motivated by the prospect of making money and aren’t usually focused on a particular target, experts said. Cryptojacking can be somewhat of a “whack-a-mole” problem that can cost targets tens of millions of dollars, Eisler noted. 

Several sources said multifactor authentication helps reduce the chances of this kind of attack. Microsoft introduced mandatory MFA authentication for Azure sign-in last August, which was supposed to be rolled out in phases, starting in 2024. 

The USAID incident comes amid ongoing concerns about the deployment of MFA at government agencies, as well as criticisms of Microsoft’s approach to cybersecurity and the federal cloud.