UK government websites mining cryptocurrency after third party website plugin compromised by hackers. The plugin Browsealoud, used on many government websites to help hearing-impaired and blind visitors listen to content, was hijacked and the source code had cryptocurrency mining code injected.
UK Government Websites Mining Cryptocurrency for Hackers
A recent supply chain attack has seen many government websites turn to mining cryptocurrency for hackers, following an attack on the Browsealoud plugin. At present it is unclear whether this was an inside job or if hackers remotely compromised the plugin, but the effect is the same regardless. Any visitor to a website with the Browsealoud plugin installed had their computer turned into a cryptocurrency miner.
Instead of just displaying web content, unbeknown to the website visitor, their computer’s processing power was harnessed to mine the cryptocurrency Monero. Fortunately, the only effect on website visitors would have been a slow loading webpage, an increase in activity of the computer processor, and an increase in energy costs as a result.
The cryptocurrency mining code was not downloaded to visitors’ devices, and the mining stopped the second the browser or webpage was closed. However, such an attack may not have been quite as harmless had the attackers decided to inject different code. After gaining access to the source code, malicious code could have been injected that obtained credentials, although in this case the attackers were solely interested in mining cryptocurrency.
UK firm Texthelp developed the Browsealoud plugin to allow web content to be turned into audio – an important service to help the blind and hearing-impaired access web content. The nature of the service made the firm’s plugin popular with governments, local authorities, charitable organizations, and higher education institutions.
While security is robust at the Texthelp, somehow attackers managed to gain access to its source code and add the cryptocurrency mining code. The code change was detected by security researcher Scott Helme. When Texthelp discovered the change, the plugin was immediately disabled and an investigation was launched. The malicious code has now been removed.
The code is understood to have been changed at in the early hours of February 11, at some point after 3am. The code was only running for a few hours before the plugin was disabled.
During that time, any visitor to a website with the Browsealoud plugin installed would have had their device start mining cryptocurrency for the attackers. It is not known how much money the attackers made, but the number of individuals likely to have visited the affected websites is considerable.
Texthelp’s website indicates 4,275 websites have the plugin installed, including many government websites in the UK, US, Australia, and beyond. In the UK, many NHS websites have the plugin installed, as do the .gov.uk domains used by towns and cities the length and breadth of Britain. The Student Loans Company website was affected, as were the sites of the Information Commissioner’s Office, the Financial Ombudsman Service, the Department of Agriculture, and the Isle of Man government site. The websites of the General Medical Council and Nursing and Midwifery Council and several universities were also affected.
In the United States, the US courts website was affected along with the websites of several states and cities, while elsewhere government sites in Sweden, Ireland, Australia and many other countries were affected.
If third-party code is used on a website, any attack that sees that code altered would affect all site visitors. It is therefore no surprise that these attacks are popular with cybercriminals, nor that such attacks are common.
However, it is possible to use a security feature on websites to protect against these types of attacks. Subresource Identity, or SRI, is a technique that can be used to prevent malicious code from running on websites. If set up, when source code is altered, the code would be prevented from running when visitors arrive on a website. The change in the code would be detected and blocked. However, relatively few website owners have set up this security measure.
Further information on SRI, including how to implement this on your website, can be found on this link.