European supercomputers were hacked to mine cryptocurrency: Report

Prioritised to work on Covid-19 research, supercomputers across Europe were hacked last week. Supercomputers in Germany, UK and Switzerland were attacked by hackers and ‘infections' included cryptocurrency-mining malware. All the affected supercomputers were taken offline to investigate. Reports say that a hacking incident was also reported at a “high-performance computing center located in Spain”.

The first report about the cryptocurrency-mining malware came in last week from the University of Edinburgh which houses the ARCHER supercomputer. The university reported a “security exploitation on the ARCHER logic nodes” and shut down the system to investigate.

To prevent further intrusions, the university decided to reset the SSH password. ZDNet reports that the bwHPC, which coordinates research projects across supercomputers in Baden-Wuttemberg, Germany, also reported a similar intrusion last Monday.

Also Read: Hackers target European supercomputers researching Covid-19

Following which, bwHPC shut down five of its high-performance computing clusters including the Hawk supercomputer at the High-Performance Computing Center Stuttgart (HLRS) at the University of Stuttgart, the bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT), the bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University and the bwForCluster BinAC bioinformatics supercomputer at the Tübingen University.

Felix von Leitner, who is a security researcher, wrote in a blog post that a supercomputer in Barcelona, Spain has also been impacted. More incidents surfaced on Thursday including one in the Leibniz Computing Center (LRZ).

German scientist Robert Helling on Saturday published an analysis of the malware that had infected a computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany.

The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also shut down external access to its supercomputer infrastructure.

None of the organisations have published any more details yet, but it is understood that SSH logins have been compromised. The Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI) has since released malware samples and network compromise indicators from some of these incidents.

These samples were reviewed earlier today by Cado Security, a US-based cybersecurity firm who said that the attacker seems to have gained access via compromised SSH credentials. The credentials, according to Cado Security, have been stolen from university members with access to these supercomputers.

Chris Doman, Co-Founder of Cado Security, told ZDNet that these attacks might have been carried out by the same threat actor. Doman noted that “once the attackers gained access to a supercomputing node, they used an exploit for the CVE-2019-15666 vulnerability to gain root access”. Attackers then “deployed an application that mined the Monero (XMR) cryptocurrency. All of these supercomputer networks were prioritizing research on the Covid-19 outbreak”.

This is the first time hackers have managed to run a malware of this sort on supercomputers and this raises serious security concerns.