The hack affected the ICO, the NHS and thousands of government and academic organisations in the UK, the US and elsewhere
The ICO said it was aware of the problem and was working to resolve it. As of Monday morning the ICO continued to display a message on the website’s front page stating that it was unavailable.
The code caused the systems of users visiting the sites affected to contribute processing power to a cryptocurrency mining scheme, a researcher said. No other hacking or data theft appears to have been involved.
The currency mining code has now been disabled and no longer affects users.
The hack illustrates the potential dangers posed by third-party code, which is now found in most major websites. Malicious code has also regularly been injected into widely viewed sites via third-party advertising networks.
On Sunday, computer security researcher Scott Helme discovered the latest incident after a friend received a malware alert when visiting the ICO’s site.
He found the code was inserted along with that of Browsealoud, an accessibility service provided by a UK firm called Texthelp to more than 4,000 prominent sites, including NHS services, the UK’s Student Loans Company, the Financial Ombudsman Service and the General Medical Council.
The code was apparently injected into the sites of all of Browsealoud’s clients, including US sites such as the US court system’s information portal and the City University of New York, Helme said.
Australian sites such as the Queensland legislation portal were also on the list.
Texthelp’s Browsealoud script allows users to request that a page it’s embedded into be read aloud or translated into another language. Such accessibility features are required under laws in areas such as the EU, the UK, the US, Canada and Australia.
The firm appears to have been hit by an attack that implanted the code into Browsealoud, in turn passing it on to the service’s clients, according to Helme.
Helme said he initially verified that about 20 Browsealoud clients carried the code, but he provided a list of 4,275 sites around the world that carried the Browsealoud script, and as such were likely to have been infected.
While currency miners are more of a nuisance than a threat, simply drawing on users’ processing power, Helme said the hackers could have implanted more dangerous code if they had chosen to do so.
The hackers apparently didn’t attempt to implant persistent code on users’ systems, meaning that the script runs only while a browser window is displaying an affected web page. Closing the window stops the code from running.
The script, which was disguised in an attempt to bypass security programs, is distributed by Coinhive and mines the Monero cryptocurrency. It was originally developed as a way for website operators to decrease their reliance on advertising, but has since been widely abused by hackers.
Texthelp said it disabled Browsealoud after Helme reported the issue and has commissioned an independent security review into how the attack occurred.
“We have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” stated Texthelp chief technical officer Martin McKay.
The National Cyber Security Centre (NCSC) said it was also looking into the incident.
“The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely,” the NCSC said in a statement. “At this stage there is nothing to suggest that members of the public are at risk.”
Do you know all about security? Try our quiz!