"It's not feasible that the NAS boxes did this alone," Litke concluded. "That means there was other hashing power at play. But what those were, how many there were, how many boxes there were, we can't tell."
Although the Synology devices came to the attention of SecureWorks because users reported that their systems were consuming a high number of CPU cycles, attackers could easily modify their code to be more surreptitious, making it harder for victims to notice that their machines, PCs or otherwise, were secretly working on someone else's behalf.
"We've seen malware that can detect when the system is being used, and then throttle back," said Litke. "Then when the device becomes idle again, the malware throttles up."
That kind of behavior has long been used by legitimate software, including projects that rely on the collective power of large numbers of PCs to do heavy computational lifting. The SETI@home initiative, for example, has used more than a million PCs -- whose owners have opted in by downloading and installing a small program -- to analyze radio telescope data in the search for signs of extraterrestrial intelligence. That software would engage only when the host system was idle.
SecureWorks has published more information about the Synology NAS hijacking on its website.
Sign up for CIO Asia eNewsletters.