Government websites among those hit by ‘coinjacking’ malware

Thousands of websites, including ones run by Irish, US and UK government agencies, were infected for several hours on Sunday with code that causes web browsers to secretly mine digital currencies.

Among the affected websites were those of the Health Service Executive, the Oireachtas, Safefood and some county councils.

More than 4,200 sites were infected with a malicious version of a widely used tool known as Browsealoud from British software maker Texthelp, which reads out webpages for people with vision problems. The issue was first reported by technology news site The Register. Any site using Browsealoud was potentially at risk.

In a statement, the Department of Communciations said there were no indications at this stage that members of the public are at risk.

“The NCSC [National Cyber Security Centre] has issued an advisory to all its constituents of government departments and agencies as well as critical national infrastructure providers, informing them of the issue and outlining a number of mitigation tech steps to prevent similar types of incidence occurring in the future,” the statement said. “ The NCSC will continue to monitor developments in relation to this matter.”

The HSE said it had taken the necessary steps to minimise the risks from this attack.

Coinhive

The tainted version of Browsealoud caused inserted software, called Coinhive, for mining the digital currency Monero to run on computers that visited infected sites, generating money for the hackers behind the attack.

Mining for digital currencies involves using computer hardware to solve a computationally difficult puzzle, which nets the user rewards in the form of units of that currency, and adding a block of translations that confirms it to the public ledger, or blockchain. It can take a lot of computing power, leading to a surge in cyber attacks using software that forces infected computers to mine cryptocurrencies on behalf of hackers. The prevalence of these schemes has increased in recent months as the volume of trading in bitcoin and other cryptocurrencies has surged.

Security expert Brian Honan said the latest attack raised some issues for site owners.

While most modern laptops and systems would have been “relatively okay”, with very little impact on the performance of the systems, the coin-mining software may have slowed systems or impacted battery life. Those with up to date antivirus software on their systems may have been alerted to the presence of Coinhive, inflicting damage on the website owner’s reputation, he said.

Mr Honan said the incident could not be dismissed as nothing to worry about. “Websites were infected with malware used by criminals,” he said. “It could easily have been ransomware or other malicious malware.”

He said the bigger issue for site owners was that if they were putting third-party plug-ins on their website they needed to perform due diligence to ensure the software they were installing was reputable.

Texthelp told The Register it had shut down the operation by disabling Browsealoud while its engineering team investigated. – Additional reporting: Reuters