(NEW YORK) — Cybersecurity researchers have identified a second ongoing global cyberattack that has quietly hijacked hundreds of thousands of computers around the world, including many in the United States, for a massive cryptocurrency mining operation.
While investigating the WannaCry ransomware attacks, researchers at the private cybersecurity firm Proofpoint stumbled upon another “less noisy” form of malware called Adylkuzz that, the firm says, has likely generated millions of dollars in cryptocurrency for the unknown attackers.
According to Ryan Kalember, the senior vice president for intelligence at Proofpoint, the attack employed the same hacking tools developed by the U.S. National Security Agency (NSA) and leaked to the public by the hacker group Shadow Brokers in April to exploit vulnerabilities in the Microsoft Windows operating system.
“I would say the real-world impact of this attack is going to be more substantial than WannaCry,” Kalember told ABC News. “Ransomware is painful, but you can restore operations relatively quickly. Here, you have a huge amount of money landing in some bad people’s hands. That has geopolitical consequences.”
The firm is still working to establish attribution for the attacks, but Kalember pointed out that North Korean-backed Lazarus Group — the same hacker group linked to the WannaCry attacks — launched a similar cryptocurrency mining attack in late 2016.
Microsoft released a pair of patches to address the vulnerability exploited by both WannaCry and Adylkuzz, but the firm says computers that adopted those patches after being infected would remain compromised, and networks that have not adopted those patches would remain exposed.
Proofpoint identified Adylkuzz attacks dating back to May 2, which would predate the WannaCry attacks, making Adylkuzz the first known widespread use of the leaked NSA hacking tools. It remained undetected for so long, Kalember says, because its impact on users is far less noticeable than ransomware.
“It takes over your computer, but you probably don’t notice anything other than that the system runs really slow,” Kalember said. “Your computer might be mining cryptocurrency for some very bad people.”
The theft itself is also more subtle. While the WannaCry attack spread ransomware to extort payments in Bitcoin, the Adylkuzz attack created a botnet that steals processing power to mine for Monero, another form open-source cryptocurrency that boasts of being “secure, private, [and] untraceable.”
According to John Bambenek of Fidelis Cybersecurity, who confirmed the existence of a second virus using NSA tools to mine for cryptocurrency, Monero has largely supplanted Bitcoin as the preferred cryptocurrency of cybercriminals. Law enforcement officials have become more adept at tracking transactions through Bitcoin’s public ledger, he said, while records of Monero transactions remain “highly obfuscated.”
“It’s made it extremely attractive for cybercriminals,” Bambenek told ABC News. “There are a handful of people still hanging on to Bitcoin, but the center of gravity is moving in Monero’s favor.”
Perianne Boring of the Digital Chamber of Commerce, a Washington, D.C.-based trade association representing the blockchain industry, defended the Bitcoin community’s efforts to coordinate with law enforcement following the WannaCry attacks but told ABC News her organization does not work with Monero.
“We don’t know them,” she said.
Monero was recently adopted by AlphaBay, one of the most prominent darknet markets to emerge following the disruption of the Silk Road, where users can purchase illicit goods, such as illegal drugs, under the cloak of anonymity.
“Monero is really ugly stuff,” Kalember said. “You’re not using it for anything good. You can’t use Monero to go buy groceries.”
Copyright © 2017, ABC Radio. All rights reserved.