Threatwatch

Bitcoin hacker who directed ISPs to do his bidding banked $83,000

Network intrusion; Unauthorized use of system administrator privileges; Man-in-the-middle attack

No less than 19 Internet service providers unwittingly contributed to the mining of digital currency, after a thief used a technique called BGP hijacking to redirect traffic, including data from the networks of Amazon.

BGP hijacking exploits the so-called border gateway protocol, “the routing instructions that direct traffic at the connection points between the Internet’s largest networks,” Wired explains. “The hacker took advantage of a staff user account at a Canadian internet service provider to periodically broadcast a spoofed command that redirected traffic from other ISPs.”

Dell SecureWorks researchers, who discovered the plot, declined to name the ISP and are not sure if the hacker cracked the account or might have been a rogue insider.  

The attacker used BGP hijacking to target a collection of bitcoin mining pools – “bitcoin-producing cooperatives in which users contribute their computers’ processing power and are rewarded with a cut of the resulting cryptocurrency the pool produces,” Wired continues. “The redirection technique tricked the pools’ participants into continuing to devote their processors to bitcoin mining while allowing the hacker to keep the proceeds.”

With that much power, the hacker was banking bitcoins and other cryptocurrencies, such as dogecoin, at a rate of $9,000 a day.

That BGP trick enabled the hacker to redirect the miners’ computers to a malicious server controlled by the hacker. From that server, the hacker sent the mining machines a command that changed their configurations to contribute their processing power to a pool that stockpiled the bitcoins they produced.

The researchers measured $83,000 worth of cryptocurrency stolen during the machinations. But the winnings could be greater, because they had to stop counting for several weeks when one of the researchers broke his ankle.  

While this BGP takeover only scored cash, other schemes using the same tactic could cause destruction, the researchers warned.

“If one Canadian ISP can be used to redirect large flows of the Internet to steal a pile of cryptocurrency, other attackers could just as easily steal massive drifts of Internet data for espionage or pure disruption,” Wired reports.  

sector

Financial Services; Web Services

reported

August 7, 2014

reported by

Wired

number affected

Unknown

location of breach

Unknown

perpetrators

Criminals

location of perpetrators

Canada

date breach occurred

February through May 2014

date breach detected

March 22, 2014