Last week, supercomputer security systems in many institutions of higher education in Europe recorded cyber attacks attacks. Universities and computer centers in the UK, Germany and Switzerland reported incidents, and a computer center in Spain is also rumored to have been attacked.
Attackers infected the supercomputers with cryptocurrency mining malware. As a result, the work of the clusters had to be suspended so that information security specialists could investigate incidents.
The first attack message came Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The university reported a “security violation at the ARCHER entry nodes”, shut down the supercomputer system, and dumped SSH data to prevent further intrusions. BwHPC, an organization that organizes research projects on supercomputers in the Baden-Württemberg region of Germany, also announced on Monday that it had to close five computing clusters due to the introduction of malware. Attackers attacked the Hawk supercomputer at the High Performance Computing Center (HLRS) at the University of Stuttgart; bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology; supercomputer bwForCluster JUSTUS at the University of Ulm; supercomputer bwForCluster BinAC at the University of Tübingen.
Attack reports continued to arrive on Wednesday. On this day, information security specialist Felix von Leitner said on his blog that the work of a supercomputer located in Barcelona had to be suspended as well.
More incident reports appeared the next day, Thursday. The first came from the Leibniz Supercomputing Centre, an institution that is part of the Bavarian Academy of Sciences. Later that day, the Julich Research Center in Germany announced an attack. Center executives said they had to shut down JURECA, JUDAC and JUWELS supercomputers. Finally, Dresden University of Technology announced the forced shutdown of the Taurus supercomputer.
After that, new incidents became known on Saturday. Attackers attacked the computing systems of the Ludwig and Maximilian University of Munich. The Swiss Center for Scientific Computing (CSCS) in Zurich was also forced to block access to the infrastructure of its supercomputer due to the attack.
“We are currently investigating the illegal access to the centre. Our engineers are actively working on bringing back the systems as soon as possible to reduce the impact on our users to a minimum”CSCS-Director Thomas Schulthess.
On the same day, specialists from CSIRT, an organization that studies information security incidents, published malware samples and indicators of network compromise for some of these incidents. In addition, the German expert Robert Helling published an analysis of the software that was used during the attack on the systems of the Ludwig-Maximilian University of Munich. Samples of programs reviewed by experts at the American company Cado Security. They concluded that the attackers appeared to gain access to supercomputers through compromised SSH credentials. According to experts, the attackers stole credentials from university members who had access to supercomputers.
Chris Doman, co-founder of Cado Security, said that although there is no official evidence to confirm that all the intrusions were carried out by one group of cybercriminals, evidence such as similar malware file names and network indicators indicate that the attacks most likely the same people were standing. Cado Security believes that attackers used the exploit for the CVE-2019-15666 vulnerability. This allowed them to get root access to the system and deploy Monero (XMR) cryptocurrency mining application on a supercomputer. As Tilman Werner, an information security specialist at CrowdStrike, explained in a commentary to the BleepingComputer portal, one of the components of the malware got root access and downloaded other programs. Another component was used to remove traces of operations from log data.
At the same time, many organizations that had to stop the work of supercomputers due to an attack reported earlier that they were studying the COVID-19 infection. Research incidents will have to be interrupted.
These attacks are not the first case of an attempt to install cryptocurrency mining software on supercomputers. In particular, in February 2018, three employees of the Russian Federal Nuclear Center were detained for trying to use the computing power of the center’s supercomputer for cryptocurrency mining. A supercomputer with a capacity of one petaflops (performs 1,000 trillion operations per second) has been working in the organization since 2011. Two detained employees received fines, the third was sentenced to three years and three months in prison.
In March of the same year, an investigation of a similar case began at the Melbourne Bureau of Meteorology, where employees used the organization’s supercomputer to mine cryptocurrency.