The rise in value of cryptocurrency appears to be tempting public employees in technology departments across the country to violate the public trust. In recent months, several news stories have come to light about the prosecution or terminations of government employees who were allegedly caught cryptomining on the government's dime.
Cryptocurrency miners solve computational puzzles to verify digital coin transactions and add them to the blockchain. Anyone with access to the Internet and suitable hardware can participate in mining. The miner who first solves the puzzle gets to place the next block on the blockchain and claim rewards, which include incentives like a portion of transaction fees and a newly released coin. The act of cryptomining takes a good deal of energy and requires a server farm to run the mining function.
And the temptation to take advantage of available government resources to those in state technology departments to earn more money is obvious to some. The Checkpoint Software Technologies blog estimated that a cryptominer who validated a bitcoin transaction in the blockchain would earn 12.5 BTC, which at the current exchange rate (March 7, 2018) would be valued at $10,515.
Security expert Avi Rembaum, with Checkpoint Security Software Technologies, said government is no more insulated from this activity than the private industry, where cryptomining activity has also been on the rise.
Some employees, he explained, might have the mindset that allows them to ignore the violation of public trust. The fact that they are only stealing resources and not introducing software into the system may allow them to justify what they are doing. For example, he said, an employee might think, “I didn’t do anything. I didn’t steal anything. All I did was use a piece of software, and the software used the available computation cycles of that machine.”
“What they are doing is misusing government resources and goes against the use agreement that they signed as an employee of a government agency,” he said.
While it is difficult to determine the attitudes of public employees breaking basic guidelines — and the law — many agencies do not know when their systems have been accessed for the purposes of cryptomining or whether the employees in charge of the department are in on the scheme.
The Louisiana State Office of the Attorney General's technology department fired five employees in February after hardware for a mining operation was discovered.
Those fired included a systems administrator, a help desk manager, a litigation support coordinator and a human resources employee who worked closely with the IT division. No one was charged.
In other states, IT security systems are such that they detect foreign intrusion immediately. The California Department of Technology (CDT) quickly acted when it found two software systems specialists using its technology in 2016.
According to CDT Information Officer Bryce Brown, the employees’ criminal actions were discovered between October and November. “We identified the activity using our primary network monitoring and all the appropriate administrative action was taken including notification of law enforcement, in that case,” he said.
The Department of Technology employs 950 people and offers technology services to all state agencies in addition to ISP services throughout the state of California for state, local government and educational agencies.
"Anyone with access to the California network is also monitored by the department. “We are constantly monitoring state computer networks and tech systems to ensure that those folks that have access ... adhere to our written policies and procedures,” said Brown. “If there is suspected criminal activity, like there was in this case, we notify the appropriate law enforcement."
In what might be a classic case of cryptomining on a public system, the Florida Department of Citrus was seeing an unexplained spike in its utility billing. Agents with the Florida Department of Law Enforcement (FDLE) arrested an information technology manager and charged him with grand theft and official misconduct for allegedly using state servers to mine digital currency. The systems manager also allegedly used a state credit card to purchase 24 graphics processing units, often used to extract cryptocurrency.
Utility bills for the department jumped by more than 40 percent between October 2017 and January 2017, at the cost of about $825, according to the agency's inspector general.
Agents learned the employee had accessed a virtual currency exchange from several computers in the department and was part of a mining pool, which is made up of any number of miners who pool computing resources to validate purchases on the blockchain. A pool combines its resources to help offset costs and the resulting rewards for validation are also split.
“We are grateful for the swift and professional actions of the Florida Department of Law Enforcement," Shannon Shepp, executive director of the Department of Citrus, said in a press release. “This is a breach of ethics that is far outside the character of the Florida Department of Citrus and the industry we serve. Fortunately our agency has internal controls that detected suspicious activity, and our inspector general immediately notified the proper channels. We will continue to work with FDLE and the court system through this process.”
Government agencies need to know what IT employees are doing on their networks, Rembaum said, and that ability should be built into your data system.
“A server that is at work mining crypto requires a lot more power, this can also require a lot more cooling, and it is going to overwhelm resources that are required elsewhere,” he said. "If a server is overheating or the CPUs are spiking, or bandwidth use is abnormal, you should be able to see this."
"An administrator should be looking for attempts to exploit known vulnerabilities that is the function of intrusion prevention which is a standard of network security function,” he said.
The flip side of this is that system administrator also needs to be on guard for the installation of cryptomining software. If an employee is not authorized or does not have administrative privileges, they may choose to steal credentials through hacking or “exploiting vulnerabilities,” he said.
Rembaum compares cryptomining to a typical malware attack. “In this instance, the malware is not stealing credentials from the machine or watching keystrokes, instead the software takes advantage of the resource capacity of the server,” he said.