SCW's Response to the March 2023 NVR Malware Incident

Cyber Attacks Happen. Here's How we Responded.

header image

Summary of What Happened:


A cyber attack occurred on a small percentage of our client’s networks. These clients were unable to remotely access their Admiral or Imperial NVRs at that time via SCW Go, SCW View Station, and web access. Clients who experienced this issue have shown no signs of footage loss - just the inability to view it via network (remote or local).


Neither SCW services (such as our website or Survail platform), the third-party P2P service we utilize, or the network and NVRs that SCW uses internally were attacked. We saw evidence, on Admiral and Imperial NVRs with ARM processors (not Intel ones), of a type of virus that primarily affects routers.


The type of router that the customer had, as well as whether the user opened ports on that router (this is against our recommendations) determined whether the user experienced the attack.


Timeline of Events

  • Increased Call Volume

    Thursday, March 2nd 2023

    Support noticed an uptick in customers calling in with NVRs that were offline. When support started noticing that clients with NVRs that were going offline, were doing so repeatedly, client network and NVR logs were requested.

  • Malware Discovered

    Sunday, March 5th 2023

    The NVRs that were offline were discovered as having malware

  • Malware Issue Tested - Offline Firmware Fix Test

    Monday, March 6th 2023

    Installer Partners were given an offline firmware fix to test. Firmware removed the malware but did not sufficiently prevent re-infection.

  • Malware Issue Resolved - Second Version Fix added to Cloud Update Process

    March 7th 2023

    The second version of the firmware fix is released and added to the cloud update process. SCW Support Team updated 1000 or so customers during this time. Another 2500 or so clients used the self-service offline or cloud update processes. Firmware removed the malware and prevented re-infection.

  • Login Failed Bug on NVR Discovered

    March 8th 2023

    It was observed that a very small percentage (about a hundred of around 3000) of units that applied the firmware update bricked on the update. SCW shipped replacement units, next day air, immediately. It was later found that there was a conflict with the new firmware and NVRs with the "auto-reboot" function enabled.

  • Third Version Fix added to Cloud Update Process

    March 9th 2023

    The bricked-on-update problem was discovered and a recovery fix was created and distributed via the cloud update process. Older firmware fixes were removed to prevent bricking more devices.

What was Observed about the Malware

  • The malware attempted to build TCP connections
  • The data sent was encrypted, so we can't see exactly what it was, but the files sizes were so small as to clearly not be video or images.
  • User logins and video are encrypted on the NVRs file system
  • The malware was similar in behavior or in the family of “TheMoon” malware which attempts to set up a botnet
  • We did not observe or get any reports of DDOS or flooding behaviors coming out of the NVRs
  • The IPs observed were from Western Europe (Belgium, Germany, Sweden, Netherlands)
  • At the time we’ve been asked to not share the specific IPs observed
  • It’s also possible the IPs reached out may vary by incident
  • No organizations have reached out to SCW or our manufacturer, claiming responsibility or making demands
  • The malware was removed and current re-infection methods were prevented with 03-08 firmware and beyond

Prevention Steps

  • Be sure to update firmware
  • Do not use port forwarding, as expressed on the networking guide that goes out with every new order / manual
  • Ideally use a VPN, if a VPN is not possible, use P2P with port mapping off (no UPNP or manual port forwarding)
  • Keep firmware up to date - check monthly for Cloud Upgrades

You May Be Interested In: