Hackers infected thousands of websites and visitors' computers to mine cryptocurrency assets, it emerged over the weekend.
UK government websites, including the Information Commissioner's Office (ICO) site, had to be taken offline late Sunday over fears the hack could impact more computers. Other affected websites included various NHS services and the Student Loans Company, plus other across the UK and overseas.
The attack was brought to light by independent security researcher Scott Helme, who realised something was amiss when a friend told him an antivirus application had raised a malware warning when visiting the ICO website.
Hackers infected a popular browser plug-in named Browsealoud, which is used to read content on the web for the blind and partially-sighted. The hackers inserted a program named Coinhive, which mines Monero -- a Bitcoin competitor -- into the plugin, alongside code which then infects the computer of anyone who visits an infected website. Coinhive then starts mining Monero, completely unknown to the user.
Mining cryptocurrency takes a lot of computing resources, which in turn raises electricity bills. As more cryptocurrency is mined, more resources are needed and so electricity bills rise further. For the hackers, then, this was a lucrative opportunity: write some code, infect some websites via a browser plugin, and sit back and watch as thousands of computers mine crypto.
A huge amount of computing resource is needed to mine cryptocurrency, which has lead to soaring graphics card and RAM prices recently. (Image: Markus Spiske)
Monero is a competitor to Bitcoin, with a specific focus on privacy, making transactions untraceable back to both the sender and recipient. This focus has also won it many fans in the darker part of the crypto community, which values its inherent anonymity.
The company that develops BrowseAloud, Texthelp, confirmed the plugin was infected for four hours on Sunday February 11. Texthelp's CTO and Data Security Officer, Martin McKay, said in a statement: "In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away."
He continued: "Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline. This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action."
The company has now instigated a security review from an independent consultancy.
In the meantime, questions will be asked about how a UK government website was able to be infected. On Monday morning the Information Commissioner's Office website was still offline.
The National Cyber Security Centre said in a statement on its website: "NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency. The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk."
— Phil Oakley, Site Editor, TechX365