In Europe were attacked super powerful computers at universities and research centers: hackers cracked European supercomputers and forced them secretly mine cryptocurrency.Reports of such incidents came from the UK, Germany and Switzerland, and, according to unconfirmed reports, a high-performance computer center in Spain suffered from a similar attack.
The first attack message came last week from the University of Edinburgh, which houses the ARCHER supercomputer.
“The administration was forced to suspend ARCHER, as well as reset SSH passwords to prevent further attacks”, – said representatives of the university.
Then the German organization BwHPC, which coordinates research projects on supercomputers in Germany, also announced that five of its high-performance computing clusters would be temporarily unavailable due to similar problems. After attacks were disabled:
- Hawk supercomputer installed at the University of Stuttgart at the High-Performance Computing Center Stuttgart;
- bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology;
- bwForCluster JUSTUS supercomputer, hosted by the University of Ulm and used by chemists and quantum computer scientists;
- bwForCluster BinAC supercomputer installed at the University of Tübingen and used by bioinformatics.
After that, IS researcher Felix von Leitner said on his blog that an attack was also made on a supercomputer located in Spain, as a result, it temporarily does not work.
Last Thursday continued to arrive reports about hacks. So, the hacking episode confirmed representatives of the Leibniz Computing Center, working under the patronage of the Bavarian Academy of Sciences. After an attack, there was disconnected computing cluster.
On the same day, the Yulich Research Center, in Germany, also reported compromise. Officials said they had to block access to the supercomputers JURECA, JUDAC and JUWELS.
The Technical University in Dresden announced that it was forced to suspend its Taurus supercomputer.
Last weekend, the Swiss Center for Scientific Computing (CSCS) in Zurich was also forced to block external access to its supercomputer infrastructure due to an attack.
“Interestingly, none of the above organizations published any details of what happened”, – wondred Felix von Leitner.
Only now the situation began to clarify: CSIRT experts (the European organization that coordinates research on supercomputers throughout Europe) released samples of malware and indicators of compromise after some of the incidents.
Also over the weekend, German expert Robert Helling published an analysis of a malware that infected a high-performance computing cluster at the physics department of Ludwig-Maximilian University in Munich.
Cado Security analysts have already analyzed the malware samples released by experts.
“The attackers seem to have gained access to supercomputer clusters through compromised SSH credentials (as previously confirmed by the ARCHER administration)”, – write Cado Security researchers.
Apparently, the credentials were stolen from university staff, who were given access to supercomputers to perform the calculations. The “stolen” SSH data belonged to universities in Canada, China and Poland.
Although there is no explicit evidence that all the attacks were carried out by the same hacker group, similar malware file names and network indicators point that the same people could be behind all the incidents.
“After gaining access to the supercomputer node, the hackers used the exploit for CVE-2019-15666 vulnerability, which allowed them to secure root access and deploy the Monero cryptocurrency miner (XMR) on the infected supercomputer”, – say Cado Security specialists.
However, worth noting another interesting fact: many organizations, whose supercomputers were attacked, previously announced that they give priority to research related to COVID-19. Finally, there is a theory that hackers wanted to steal the results of these studies or simply sabotage them.
Let me remind you that recently Europe’s largest private hospital operator Fresenius was attacked with Snake ransomware, which endangered both patients with coronavirus and research on this topic.