Canadian University Shuts Down IT Network After Cryptojacking Attack

St. Francis Xavier University, one of Canada’s oldest universities, was forced to temporarily disable all its network systems in response to a cryptojacking attack.

The university, in a statement, said that a malicious software (malware) infected its network which then attempted to utilize the university’s collective computing power in order to mine the cryptocurrency Bitcoin.

The university added that it’s bringing its IT systems back online in a staggering process to minimize potential risk. This cyber incident at St. Francis Xavier Universityhighlights the dangers of a cryptojacking attack.

What Is Cryptojacking?

Cryptojacking happens when a cyberattacker uses without consent the computing power of another for the purpose of mining a cryptocurrency such as Bitcoin.

Mining a cryptocurrency like Bitcoin is similar to mining gold. Instead of using back-breaking labor in gold mining, in cryptocurrency mining, computer processing power is used instead. Cryptomining is legal when done in one’s computer or with the permission or consent of the computer owner. Cryptomining becomes illegal when this is done in someone else’s computer and done without their consent.

Cryptomining is as simple as installing a specialized software developed to mine a cryptocurrency in a computer and letting the software run day and night. The phrase “coin miner malware” is used to refer to a malicious software that’s installed in a computer without the owner’s consent. 

Cryptominers, those that allow their computers to be used for cryptocurrency mining, earn cryptocurrency as compensation for the use of computing power. In cryptojacking, the earned cryptocurrency goes to the wallets controlled by attackers, without the knowledge of the owners of the computers used in cryptomining.

Prevalence of Cryptojacking

The cryptojacking incident at St. Francis Xavier University isn’t an isolated incident. McAfee Labs(PDF) reported that cryptojacking is on the rise. In the 4thquarter of 2017, McAfee Labs reported that coin miner malware programs installed illegally by attackers were less than 1 million. This number, McAfee Labs said, rose to more than 5 million in the 2nd quarter of 2018.

McAfee Labs attributed the rise of cryptojacking to the value of cryptocurrency. As of November 10, 2018 (3:30 PM GMT+7) the value of Bitcoin, the most expensive cryptocurrency, is $6,400. While this value is way below the all-time high price of nearly $20,000 in late 2017, this is still way high from the early 2017 price of $1,000.

Legitimate Bitcoin miners need to invest in powerful computers and pay for the corresponding electricity cost. Cryptojackers, on the other hand, won’t be bothered in investing on these two as they’d rather steal the computing power of another to mine Bitcoin as the process simply involves installing a coin miner malware on someone else’s computer.

Networks or interconnected computers of enterprises and organizations are typically targetted for coin miner malware as the collective computing power is much higher and the corresponding Bitcoin earning is much higher as well. “If an attacker can hijack enough systems, mining in high volume can be profitable,” McAfee Labs said.

Cryptojacking isn’t limited to Bitcoin mining. Attackers also hijack other computers to mine the cryptocurrency Monero valued at $105 as of November 10, 2018 (4 PM GMT+7).

Coin Miner Malware Infections

St. Francis Xavier University didn’t specify how the coin miner malware infected its network.

Coin miner malware infections are known to start with any of the following:

1. Email Attack Scenario

DDE exploit is an example of a coin miner malware that infects a network via an email attack scenario. DDE once known to distribute ransomware – malware that locks computers and demands ransom payment – is now distributing coin miner malware.

DDE exploit comes in a Word document attached to an email. Once opened, this Word document that contains the DDE exploit downloads a modified version of the software called “XMRig”, a software used to mine the cryptocurrency Monero.

2. Web-Based Attack Scenario

Coinhive is an example of a coin miner malware that infects a network via a web-based attack scenario. Coinhive is a cryptocurrency mining service that offers a coin mining code. Coinhive is marketed as a replacement for online advertising, that is, instead of advertising, the computing power of the site’s visitor is used to mine the cryptocurrency Monero.

Cyberattackers have been known to install the Coinhive code on vulnerable websites without the site owners’ knowledge and consent to steal the computing power of visitors to mine Monero.

3. Cloud Account Attack Scenario

In October 2017, RedLock(PDF) reported that large multinational corporations’ Amazon Web Services (AWS) cloud accounts, including that of Aviva and Gemalto, were compromised by attackers and used to mine Bitcoin.

According to RedLock, cloud accounts of these large multinational corporations were compromised by attackers via Kubernetes – an open source software used by companies to deploy and manage cloud-based applications and resources – that were not password protected. RedLock added that attackers executed a Bitcoin mining command from one of the Kubernetes containers.


It’s important to keep your organization’s network free from coin miner malware as this could negatively impact computer performance and employee productivity.

Here are some cybersecurity measures to prevent attackers from hijacking your organization’s network for cryptocurrency mining:

  • Educate your employees on how to spot malicious email links and attachments.
  • Use an email service that has built-in antimalware, link protection and spam filtering.
  • Use antivirus software that blocks coin miner malware such as Coinhive.
  • Monitor configurations. Unprotected Kubernetes, for instance, can be identified through configuration monitoring.
  • Monitor network traffic. Monitoring network traffic together with configuration monitoring can detect suspicious network traffic.

When you need help, our technology and security professionals are a phone call away. Call today (416) 920-3000 to better protect your data.

Leave a Reply

Your email address will not be published. Required fields are marked *