MikroTik Routers Compromised in Cryptojacking Campaign

Posted by & filed under Security News.

Cybercrime Directorate (CD), INTERPOL, has identified a massive global cryptojacking campaign conducted by threat actor(s) that exploited a vulnerability in a particular brand of routers (namely, MikroTik). This campaign involved the injection of a mining script into the routers through the known vulnerability. The aforesaid was sometime facilitated with the use of malware.

Based on the data collected during the period 31 January to 5 February 2019, there were 110,532 potential routers being infected in 173 countries. Upon in-depth analysis and data enrichment conducted by the Cyber Fusion Centre (CFC) and private sector partners, Cyber Activity Reports (CAR) were disseminated to 151 member countries concerned.

1. AIM

The aim of the operation is to support member countries to combat “cryptojacking” through the provision of actionable cybercrime information. In particular, the operation will focus on dealing with the threats of illegal access to routers and/or malware distribution that facilitated the infection of vulnerable routers.


The objectives of the Operation are listed as follows:

  • Detect threat actor(s) responsible for the commission of illegal access to routers and/or dissemination of malware for infecting vulnerable routers;

  • Link up law enforcement agencies of member countries for the purpose of conducting joint-investigation;

  • Disrupt the “cryptojacking” network by cleaning up the infected routers with a view to suppressing illegal cryptocurrency mining activities; and/or

  • Raise the overall awareness and understanding of common cryptojacking modus operandi employed.


The operation will be carried out in 4 phases, namely:

  • Planning and Analysis Phase;

  • Organizational Phase;

  • Tactical Phase; and

  • Evaluation Phase


Phase I: Planning and Analysis Phase (January to February 2019)

During the captioned period, officers of CFC conducted a series of OSINT investigation and data collation for the purpose of identifying vulnerable and/or infected routers compromised by threat actor(s) for conducting cryptojacking. As a result, a total of 110,532 routers in 173 countries that were vulnerable to this illegal cryptojacking campaign were identified. Furthermore, CFC also retrieved crucial attributions, i.e. “site keys”, which could likely lead to the identification of threat actor(s) behind this illegal cryptojacking campaign.

In addition, with the assistance of INTERPOL’s private sector partner, CFC also retrieved a number of “site keys” from the malware that were used by the threat actor(s) to infect vulnerable routers on the Internet. The domain names that were used to spread the malware were also identified during the reverse engineering process.

CARs to respective member countries were thus compiled for disseminating the abovementioned cybercrime information.

Phase II: Organization Phase (March to July 2019)

The National Central Bureaus (NCBs) of the member countries concerned will consult and engage relevant LEA and national agencies such as Computer Emergency Response Team (CERT) to support the Operation. At least one officer from each member country should be nominated from the relevant LEA as the National Coordinator, whose roles and responsibilities are as follows:

  • Provides information through questionnaire which was sent along with the cyber activity reports to the respective countries;

  • Guides and delegates national actions in line with the country’s priorities and operation plan; and

  • Stimulates the gathering of information and intelligence at national level and generates sharing through INTERPOL channels established in the Operation.

Phase III: Tactical Phase (August to September 2019)

The tactical phase will focus primarily on carrying out the recommended actions detailed in the respective CARs. INTERPOL will ensure coordinated actions from the participating member countries of the Operation. For instances when coordination is required with other member countries that are not part of the Operation, INTERPOL will assist with the liaison.

The tactical phase will be further divided into 2 sub-phases: the first sub-phase will focus on advancing investigations and followed by the second sub-phase on clean-up and patching of the infected routers. All actions shall be documented systematically.

Phase IV: Evaluation (October 2019)

After the tactical phase, participating law enforcement agencies are requested, via the nominated point of contact, to submit an evaluation report and take part in the debriefing session.

Good practices and lessons learned will be shared amongst participating countries. INTERPOL will also provide an overall evaluation report on the Operation, providing feedback and recommendations to all countries that participated in the operation.

The information contained in this website is for general information purposes only. The information is gathered from Cybercrime Directorate (CD), INTERPOL while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.