How hackers mine cryptocurrencies on government websites

In the early morning of February 11, 2018, while the sysadmins were dozing at the end of the night shift, an unknown team of hackers cracked the Browsealoud plugin code. They added a little-known cryptocurrency miner there and left, carefully noticing it. It wasn't until noon that day that the team responsible for maintaining Browsealoud got their bearings after a barrage of calls and disabled the plugin for subsequent cleaning. But it was too late.

A feature of this short but powerful attack is that the Browsealoud plugin is designed to provide access to information for blind and visually impaired people. And it is operated mainly where the US authorities are obliged to guarantee such access to their citizens - on the websites of national departments. In total, about 4, 200 different pages were affected, which cast a shadow on the entire American state machine.

Hackers did not steal anything, did not add malicious viruses, did not harm end users in any way. It was just that people went to sites that they considered a priori protected from everything and that they vitally needed in their professional and personal activities, and a miner script was launched on their computers. How much hackers managed to "earn" in this way is unknown, but this is not the cause of concern.

The Internet has opened a new Achilles' heel - plugins like Browsealoud are used by many sites whose administrators trust their developers by default and are not reinsured. And those are not able to respond to all threats in the world, and if hackers unnoticed again hack a couple of plugins or drivers, they will be able to attack millions of sites overnight. As mining on supposedly overprotected US government portals has shown, this is much easier than it seems.