Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,064
- Points
- 113
Supercomputers all over Europe have come under attack, with super-powerful machines forcing them to secretly mine cryptocurrencies. Such incidents have been reported from the UK, Germany and Switzerland, and unconfirmed reports indicate that a similar attack affected a high-performance computing center in Spain.
The attack was first reported last week from the University of Edinburgh, which houses the ARCHER supercomputer. As we already wrote, the administration was forced to suspend ARCHER and reset SSH passwords to prevent further attacks.
Then the German organization BwHPC, which coordinates research projects on supercomputers in Germany, also announced that five of its high-performance computing clusters would be temporarily unavailable due to similar problems. Disconnected:
- the Hawk supercomputer, installed at the University of Stuttgart, in the High-Performance Computing Center Stuttgart;
- bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology;
- the bwForCluster JUSTUS supercomputer, housed at the University of Ulm and used by chemists and quantum computer scientists;
- the bwForCluster BinAC supercomputer installed at the University of Tübingen and used by bioinformatics.
Hacks continued to be reported last Thursday. For example, representatives of the Leibniz Computing Center, which operates under the patronage of the Bavarian Academy of Sciences, announced the hack. Due to the attack, the computational cluster was disabled there.
On the same day, the Juelich Research Center, in Germany, also reported the compromise. Officials said they had to close access to supercomputers JURECA, JUDAC and JUWELS.
The Technical University in Dresden announced that day that it was forced to suspend the operation of its Taurus supercomputer.
Last weekend, the Swiss Center for Scientific Computing (CSCS) in Zurich was also forced to close external access to its supercomputing infrastructure due to an attack.
Interestingly, none of the above organizations have published virtually any details of what happened. Only now the situation has begun to clear up: experts from the CSIRT (a European organization that coordinates research on supercomputers throughout Europe) have released malware samples and indicators of compromise for some of the incidents.
Also last weekend, German expert Robert Helling published an analysis of a malware that infected a high-performance computing cluster at the physics department of the Ludwig-Maximilians University in Munich.
The malware samples released by the experts have already been analyzed by analysts at Cado Security. The company writes that the attackers seem to have gained access to the supercomputing clusters through compromised SSH credentials (which was previously indirectly confirmed by the ARCHER administration).
Apparently, the credentials were stolen from university staff, who were given access to supercomputers to perform calculations. The "hijacked" SSH data belonged to universities in Canada, China, and Poland.
While there is no conclusive evidence yet that all attacks were carried out by the same hacker group, similar malware file names and network indicators indicate that the same people may have been behind all the incidents.
Cado Security researchers believe that having gained access to the supercomputer node, the hackers used an exploit for the CVE-2019-15666 vulnerability, which allowed them to gain root access and deploy the Monero cryptocurrency miner (XMR) on the infected supercomputer.
However, it is worth noting another interesting fact, which we already paid attention to last week: many organizations whose supercomputers were attacked have previously announced that they are giving priority to research related to COVID-19. As a result, there is a theory that the hackers wanted to steal the results of these studies or simply sabotage them.
