Operation Goldfish Alpha: Authorities Disinfect 78% of Infected MikroTik Routers used for Cryptojacking Campaigns

  • Termed as Operation Goldfish Alpha, the campaign was launched across the Southeast Asia region in June 2019.
  • Efforts to patch the remaining devices continue.

Interpol and CERT teams from 10 Southeast Asian countries have managed to disinfect infected MikroTik routers in the last six months period which were used by cybercriminals to conduct cryptojacking.

Termed as Operation Goldfish Alpha, the effort was launched across the Southeast Asia region in June 2019.

What was the purpose?

Based on data collected from police and partners in the cybersecurity industry, Interpol had identified a global cryptojacking campaign facilitated by the exploitation of a vulnerability in MikroTik routers. Over 20,000 hacked routers across 10 Southeast countries were identified to be compromised for the purpose.

What was done?

Starting in June 2019, the Interpol team along with other investigators from other cybersecurity industry worked together to located routers, alert the victims and patch the devices so that they were no longer under the control of cybercriminals.

When the operation concluded in late November, the number of infected devices had been reduced by 78%. Meanwhile, efforts to patch the remaining devices continue.

The bottom line

Hacking MikroTik routers and injecting cryptomining scripts has been a popular practice among threat actors since the summer of 2018. At that time, attackers had used a MikroTik vulnerability to hijack and infect over 200,000 routers across the world to conduct cryptocurrency-mining attacks.