Several supercomputers across Europe have been infected with cryptocurrency mining malware19. May 2020
Several supercomputers across Europe have been infected with cryptocurrency mining malware
The first report of an attack came on Monday last week from the University of Edinburgh, which operates the ARCHER supercomputer. The organization reported “security exploitation of the ARCHER login node.” The ARCHER system was shut down and SSH passwords reset to investigate and prevent further break-ins.
The bwHPC, the organization that coordinates research projects on supercomputers in the German state of Baden-Württemberg, also announced on Monday that five of its high-performance computer clusters had to be shut down due to similar “security incidents”. This included: The Hawk supercomputer at the High Performance Computing Centre Stuttgart (HLRS) at the University of Stuttgart, the bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT), the bwForCluster JUSTUS chemistry and quantum science supercomputer at the University of Ulm and the bioinformatics supercomputer bwForCluster BinAC at the University of Tübingen.
The reports continued on Wednesday when security researcher Felix von Leitner claimed in a blog post that a supercomputer in Barcelona, Spain, was also affected by a security problem and was therefore switched off.
Further incidents were recorded on Thursday. The first came from the Leibniz Computing Centre (LRZ), an institute of the Bavarian Academy of Sciences. A statement said that a computing cluster had been disconnected from the Internet after a security breach. This was followed later that day by the Forschungszentrum Jülich . A memo said that they had to shut down the supercomputers JURECA, JUDAC and JUWELS after an “IT security incident”. The Technical University of Dresden also announced that they had to take their Taurus supercomputer off line.
The German scientist Robert Helling published an analysis of the malware that infected a high-performance computer cluster at the Faculty of Physics at the Ludwig-Maximilians-University of Munich. The Swiss Centre for Scientific Computing (CSCS) in Zurich (Switzerland) also shut down external access to its supercomputer infrastructure after a “cyber accident” “until a secure environment is restored”.
Initially, none of the above-mentioned organizations published details of the break-ins. Yesterday, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers in Europe, caught up by publishing malware samples and network compromise indicators from some of these incidents.
The malware samples were reviewed by Cado Security, a UK-based cyber security company. The company stated that the attackers apparently gained access to the supercomputer clusters via compromised SSH credentials.
The credentials appear to have been stolen by university staff who were given access to the supercomputers to perform computing tasks. The hijacked SSH logins belonged to universities in Canada, China and Poland.
Chris Doman, co-founder of Cado Security, told ZDNet that while there is no evidence that all the break-ins were carried out by the same group, similar malware file names and network indicators would indicate that.
According to Domans, once they gained access to a supercomputer node, the attackers could have used a CVE 2019 15666 vulnerability exploit to gain root access and then deployed an application that mined the crypto currency, Monero (XMR).
To complicate matters, many of the organizations affected by the outage had announced in the previous weeks that they would prioritize research into the COVID 19 outbreak.
These incidents are not new. Crypto-mining malware has also been installed by employees in previous cases to gain benefits. This time, however, the attack came from hackers.