Get a Demo

Cryptocurrencies like Bitcoin, Ethereum, Ripple, NEO, and Litecoin are regularly in the news—with crypto bulls and bears weighing in on their speculative future with every price swing.

While cryptocurrencies are being traded around the world, what we don’t see are the hundreds of thousands of crypto-specialized computers and servers that are “mining” such currencies to release new cryptocurrency into circulation.

Profit Motive

Bitmain, a Chinese manufacturer of bitcoin mining hardware, runs its own mining operation. Last year it pulled in $3 – $4 billion in profits. There is a profit motive in crypto mining, even with a small-scale operation.

Large scale crypto mining requires specialized machines that have high processing demands. Examples include ASIC miner machines with their substantial electricity appetite. But with the right software, anyone can operate at a smaller, less profitable implementation using a single laptop.

Energy loss: Consider this on Earth Day (and every day)

Cryptocurrency uses as much CO2 per year as 1m transatlantic flights. Many believe we should take it seriously as a potential climate threat. In November of 2017, the power consumed by the entire bitcoin network was claimed to be higher than that of the Republic of Ireland.

Due to the massive energy consumption of mining machines, malicious actors look for ways to mine cryptocurrency without having to absorb the costs. After its utility bill skyrocketed over 40 percent, a Florida Department of Citrus (FDC) employee was arrested this past March for allegedly using its computers to mine cryptocurrencies.

The employee also allegedly used department funds to purchase 24 graphic processing units (GPUs) totaling nearly $22,000. GPUs are often used for crypto mining because they can crunch numbers faster than systems using conventional CPU chips.

In fact, crypto-mining machines could be running within your organization’s network—draining vast amounts of energy—without your knowing it. Alongside energy theft, add wasted computational resources along with hardware wear and tear.

Malicious crypto mining activities such as cryptojacking are on the rise.

In physics, the law of conservation of energy states that energy can neither be created nor destroyed. Rather, it can only be transformed from one form to another. Applying this law to the power usage effectiveness (PUE) of your infrastructure, cooling could be severely compromised. (PUE is computed by dividing the total incoming power by total IT equipment power load. The former includes electrical and mechanical support systems such as air conditioners, fans, chillers, and power equipment.) Also, the loss of critical, allocated infrastructure capacity, such as servers being redirected, can directly impact your organization.

Why does cryptocurrency consume so much power?

Mining cryptocurrency can be CPU or GPU intensive, and therefore power intensive. To understand how mining functions, let’s look at how the bitcoin currency works. Satoshi Nakamoto, the pseudonym for the anonymous bitcoin creator(s), developed a way to exchange tokens having value online — without using a centralized system such as a bank. Instead, all transaction record keeping occurs in a decentralized blockchain database residing on thousands of distributed machines. These comprise the bitcoin network.

Mining computers collect pending bitcoin transactions, known as a “block,” which are turned into a mathematical puzzle. Solving these mathematical puzzles is what consumes compute power. In uncovering the solution, a miner then announces it to the network. Other miners check if the sender of funds has the right to spend the money and whether the puzzle solution is correct. If enough approve, that block is cryptographically added to the ledger blockchain and the miners move onto the next set of transactions.

The miner who originally found the solution receives 25 bitcoins as a reward, but only after another 99 blocks have been added to the ledger—hence, the incentive for miners to participate and validate transactions.

Who could be mining cryptocurrency inside your organization?

Malicious insider – This may be someone who has access to high-performance computing systems and logs on during the evening to engage in crypto mining. An example of such systems are AWS high-CPU or GPU machines, which can be used for complex computation and are expensive to operate. The scenario might even involve this person receiving kickbacks to participate.

Compromised insider – This can occur when someone unwittingly succumbs to a phishing scam, clickbait, or a drive-by (where software is downloaded for surreptitious crypto mining). Or, an employee inadvertently downloads free software that might not disclose that it performs crypto mining on the back end. There are video streaming sites and file sharing networks that have allegedly been cryptojacking users’ computers (as has a free Wi-Fi provider in an Argentinian Starbucks).

Rationalizing insider – Here an individual downloads small-scale, crypto mining or cryptojacking software they intend to run when their machine is idle. This miner rationalizes that it’s OK to use their machine to generate money when it’s not in use.

Malicious outsider – Similar to a DDoS attack, which uses a server or service vulnerability, a hacker can hijack an entire connected infrastructure to develop a distributed crypto mining operation. Since not a lot of traffic is generated, and servers in data centers are expected to have a fairly high load, these hijacks may go unnoticed for a long period of time.

How much could crypto mining be costing your organization?

We know that crypto mining in the aggregate can use a tremendous amount of energy. But how much of your organization’s power could crypto miners potentially be using, and how much would it cost?

The tremendous electricity consumption of crypto currency mining is getting the attention of local governments.

The answer is difficult because it depends on many variables. Determining how many machines are being utilized is a start. However, not all machines consume the same amount of power; which depends on the type and number of CPUs, and whether they are using GPUs. It also depends on how often and intensively they are being used. Add in the cooling costs, and it’s a complicated equation.

The best thing to do it look for anomalies in your bill, and if seen, start looking for suspicious activity.

What should you look for?

Crypto mining creates a significant deviation in pattern and velocity.

Look for a sudden change in capacity or use, as well as for an abnormal executable. For example, consider the sudden nighttime appearance of an odd executable in an environment that usually only runs EXCHANGE.EXE or NTDS.EXE. This should be flagged as abnormal. Or, consider a machine, ordinarily only operating during daytime hours, that is suddenly running 24×7.

A few straight forward ways to detect such irregular behaviors is to learn what sort of processes and connections servers create with outbound access (to connect to mining pools, etc.), and modeling the normal behaviors. The same goes for server capacity and utilization. In a production environment, there are certain benchmarks that IT performs to ensure proper service is maintained— deviation from these benchmarks may be an indicator of capacity abuse. An emerging technology called entity analytics can automate detection by baselining normal machine behavior and highlighting the anomalies.

With the value of cryptocurrency increasing, and the less power intensive currencies still nascent, malicious actors appropriating machines for profit will most likely be around for a while.

Barry Shteiman
VP Research & Innovation

Exabeam provides security intelligence and management solutions to help organizations of any size protect their most valuable information.