Cyber Incident Victim: United States Department of Defense
Date:
Dec 2019
Location:
United States of America
Summary
A security researcher participating in the Department of Defense's bug bounty program discovered a cryptocurrency-mining botnet operating on a misconfigured Jenkins server within its network. The exposed server allowed unauthorized access to critical directories, enabling attackers to deploy malware that hijacked resources for Monero mining operations. Although the compromised system was secured following the report, forensic evidence indicated the botnet had previously infiltrated the server, linking it to broader cloud infrastructure attacks. The malicious wallet associated with the intrusion accumulated substantial funds, though precise operational scope remains unclear. This incident was disclosed publicly despite no bounty being awarded to the researcher due to the sensitivity of the affected infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late December 2019 or early January 2020, Indian security researcher Nitesh Surana discovered a cryptocurrency-mining botnet operating within a US Department of Defense (DOD) network while participating in the DOD's bug bounty program. Surana identified a misconfigured Jenkins automation server hosted on an Amazon Web Services (AWS) instance associated with a DOD domain that allowed unrestricted access without authentication credentials. This vulnerability exposed the server's filesystem and critical directories, including the /script folder used for automated task execution. The researcher recognized that attackers could exploit this misconfiguration to upload malicious scripts, establish persistent backdoors, or gain full server control. Surana formally reported these findings through the DOD's HackerOne-based vulnerability disclosure program, prompting immediate remediation actions by DOD personnel to secure the compromised server. Subsequent analysis revealed the system had already been breached prior to Surana's discovery, with attackers leveraging the vulnerability to install illicit cryptocurrency-mining malware.
Further investigation traced the pre-existing compromise to a Monero-mining botnet operation targeting cloud servers. Forensic evidence linked the attack to a specific Monero wallet address that had been referenced in Chinese-language technical forums since August 2018, with multiple users reporting similar cloud server infections. The wallet associated with the DOD breach contained approximately 35.4 Monero coins (valued at $2,700 as of February 2020), though historical withdrawals prevented accurate estimation of total illicit earnings. The DOD acknowledged the incident through its bug bounty program framework but withheld specific server details due to security sensitivities. While the department had recently distributed $275,000 in rewards through its vulnerability disclosure initiatives, Surana received no bounty for this report despite its validation and remediation. This case represented an uncommon instance where DOD security researchers permitted limited public disclosure of a confirmed network compromise.