Several supercomputers across Europe have been infected with cryptocurrency mining malware and were forced to shut down to investigate the intrusions.
The malware infection has been reported in the UK, Germany, and Switzerland, and a similar intrusion also occurred at a high-performance computing center located in Spain.
The initial report of the attack came from the University of Edinburgh, which runs the ARCHER supercomputer. The University reported “security exploitation on the ARCHER login nodes,” and they shut down the ARCHER system to investigate, and reset SSH passwords to prevent further intrusions.
bwHPC which is the organization that coordinates research projects across supercomputers in the state of Baden-Württemberg, Germany, also reported that five of its high-performance computing clusters were shut down due to similar issue which included
- The Hawk supercomputer at the High-Performance Computing Center Stuttgart (HLRS) at the University of Stuttgart
- The bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
- The bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University
- The bwForCluster BinAC bioinformatics supercomputer at the Tübingen University
Two days later, a security researcher Felix von Leitner claimed in a blog post that a supercomputer in Barcelona, Spain, was also affected by a security issue and had been shut down due to it.
The next day there were reports of several incidents, the first one came from the Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences. The next was from Julich Research Center in the town of Julich, Germany. The JURECA, JUDAC, and JUWELS supercomputers were shut down following the incident. The reports came from Technical University in Dresden about the security incident and they had to shut down their Taurus supercomputer.
German scientist Robert Helling published an analysis on the malware that infected a high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany.
The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland shut down the external access to its supercomputer infrastructure.
Any details regarding the intrusions are not published by any of the affected organizations. The Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI) which is a pan-European organization that coordinates research on supercomputers across Europe, has released malware samples and network compromise indicators from some of these incidents.
A UK-based cyber-security firm, Cado Security reviewed the malware samples and reported that the attackers managed to access the supercomputer clusters through compromised SSH credentials.
The credentials seem to be stolen from university members given access to the supercomputers to run computing jobs. The hijacked SSH logins are from universities in Canada, China and Poland.
According to Chris Doman, Co-Founder of Cado Security, even though there aren’t any official evidence to confirm that all the intrusions are performed by the same group, evidence like similar malware file names and network indicators suggests this might be the work of a same threat actor.
On his analysis, when an attacker attain access to a supercomputing node, they seem to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero (XMR) cryptocurrency.
Most of the organizations which had to shut down their supercomputers were prioritizing research on the COVID-19 outbreak, which is now obstructed due to the intrusion.
Even though these kinds of incidents of installing crypto-mining malware on a supercomputer is not new, this is the first-time hackers are doing this. Usually it is done by employees by installing the cryptocurrency miner for their own personal gain.