Cyber Incident Victim: Transneft
Date:
Dec 2017
Location:
Russia
Summary
Transneft experienced unauthorized cryptocurrency mining activity involving Monero on its computer systems, which was detected and addressed through implemented preventive measures to block future occurrences. The mining software was automatically downloaded from the web and subsequently deleted, with company officials warning that such incidents could negatively impact processing capacity and productivity, highlighting broader risks for other organizations. An industry expert indicated that exploiting corporate hardware for cryptocurrency mining was likely to increase due to perceived anonymity and low-effort financial gain, while Russian legal frameworks at the time stipulated severe penalties for server hacking, including potential imprisonment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2017, Russian pipeline operator Transneft disclosed that its computer systems had been exploited for unauthorized cryptocurrency mining. The company identified Monero, a cryptocurrency positioned as a Bitcoin alternative, as the asset being mined through this illicit activity. According to spokesperson Igor Demin, mining software was automatically downloaded from the internet onto a company computer without authorization, though the software was subsequently deleted. Transneft executives revealed the incident during a company meeting on December 14, with Vice President Vladimir Rushailo confirming that corporate hardware had been misused for cryptocurrency production. Rushailo warned that such unauthorized usage could negatively impact processing capacity but did not specify the operational consequences or duration of the mining activity. The company implemented new security programs designed to block similar unauthorized downloads in the future, though technical details of these controls were not disclosed. No external threat actors were explicitly identified in connection with the incident, and Transneft did not report whether data breaches or additional compromises occurred alongside the mining operation.
The incident highlighted emerging cybersecurity risks associated with cryptocurrency mining targeting corporate infrastructure. Information security expert Pavel Lutsik of Croc IT firm observed that hackers were increasingly likely to exploit organizational hardware for cryptocurrency production due to the perceived low risk of detection. Russian legislation at the time imposed penalties of up to six years imprisonment for server hacking, with provisions to increase sentences to ten years starting in 2018. The disclosure occurred against a backdrop of heightened regulatory scrutiny, with Russian authorities repeatedly stating intentions to control virtual currency markets and the central bank warning about cryptocurrency risks related to money laundering and terrorist financing. Transneft's public acknowledgment marked one of the earliest confirmed cases of cryptojacking within critical infrastructure in Russia, though the company did not disclose whether law enforcement investigations were initiated or whether financial losses beyond processing impacts were incurred.