Multiple supercomputers across Europe have been infected this week with cryptocurrency mining malware and have shut down to investigate the intrusions.
Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumored to have also happened at a high-performance computing center located in Spain.
The first report of an attack came to light on Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The organization reported “security exploitation on the ARCHER login nodes,” shut down the ARCHER system to investigate, and reset SSH passwords to prevent further intrusions.
The bwHPC, the organization that coordinates research projects across supercomputers in the state of Baden-Württemberg, Germany, also announced on Monday that five of its high-performance computing clusters had to be shut down due to similar “security incidents.” This included:
- The Hawk supercomputer at the High-Performance Computing Center Stuttgart (HLRS) at the University of Stuttgart
- The bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
- The bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University
- The bwForCluster BinAC bioinformatics supercomputer at the Tübingen University
Reports continued on Wednesday when security researcher Felix von Leitner claimed in a blog post that a supercomputer housed in Barcelona, Spain, was also impacted by a security issue and had been shut down as a result.
More incidents surfaced the next day, on Thursday. The first one came from the Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences, which said it was disconnected a computing cluster from the internet following a security breach.
The LRZ announcement was followed later in the day by another from the Julich Research Center in the town of Julich, Germany. Officials said they had to shut down the JURECA, JUDAC, and JUWELS supercomputers following an “IT security incident.” And so has the Technical University in Dresden, which announced they had to shut down their Taurus supercomputer as well.
New incidents also came to light today, on Saturday. German scientist Robert Helling published an analysis on the malware that infected a high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany.
The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also shut down external access to its supercomputer infrastructure following a “cyber-incident” and “until having restored a safe environment.”
Attackers gained access via compromise SSH logins
None of the organizations above published any details about the intrusions. However, earlier today, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers across Europe, has released malware samples and network compromise indicators from some of these incidents.
The malware samples were reviewed earlier today by Cado Security, a US-based cyber-security firm. The company said the attackers appear to have gained access to the supercomputer clusters via compromised SSH credentials.
The credentials appear to have been stolen from university members given access to the supercomputers to run computing jobs. The hijacked SSH logins belonged to universities in Canada, China, and Poland.
Chris Doman, Co-Founder of Cado Security, told ZDNet today that while there is no official evidence to confirm that all the intrusions have been carried out by the same group, evidence like similar malware file names and network indicators suggests this might be the same threat actor.
According to Doman’s analysis, once attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero (XMR) cryptocurrency.