Hackers have manage to install cryptocurrency mining malware on multiple supercomputers across Europe that have now had to shut down as they investigate.
Security incidents at facilities housing supercomputers were reported in the UK, Germany and Switzerland while a similar breach was also rumored to have occurred at a high-performance computing center located in Spain.
The University of Edinburgh, which runs the ARCHER supercomputer, suffered the first attack and the organization reported that it had disabled access to the system and reset SSH passwords due to a security exploitation on the ARCHER login nodes. On the same day, the organization responsible for coordinating research projects across supercomputers in the German state of Baden-Württemberg, bwHPC announced that five of its high-performance computing clusters were shut down following similar security incidents.
Later in the week, the Bavarian Academy of Sciences’ Leibniz Computing Center (LRZ) announced that it had disconnected a computing cluster from the internet following a security breach. Officials from the Julich Research Center then announced that they shut down the JURECA, JUDAC and JUWELS supercomputers after an IT security incident. The Technical University in Dresden also announced that it had to shut down its Taurus supercomputer as well.
While none of the organizations whose supercomputers were affected by these security incidents have published any details on them, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI) has released malware samples and network compromise indicators for some of the attacks.
After reviewing these malware samples, the UK-based cybersecurity firm Cado Security believes that the attackers like gained access to the supercomputer clusters by using compromised SSH credentials. These credentials appear to have been stolen from university staff from Canada, China and Poland who were given access to the supercomputers to run demanding and complex computing jobs.
Cado Security’s Co-Founder Chris Doman told ZDNet that similar malware file names and network indicators suggest that these security incidents may have been carried out by the same threat actor. Based on his analysis, the attacker leveraged the CVE-2019-15666 vulnerability in the Linux kernel to gain root access and then deployed an application to mine the Monero cyrptocurrency.
Having to take down this many supercomputers at once due to security incidents is unprecedented and unfortunately, many of these systems were being used to research and study Covid-19 at the time.