Even supercomputers are not immune to hacking these days. ZDNet reports that multiple supercomputers have been infected across Europe this week. The security incidents have reportedly been reported in the UK, Germany and Switzerland. The infections include cryptocurrency mining malware and these supercomputers have been shut down to investigate the intrusions. The report adds that such an incident has also been reported at a “high-performance computing center located in Spain.”
The first such report of a cryptocurrency mining malware attack on supercomputers came to light last week. The information came from the University of Edinburgh, which runs the ARCHER supercomputer. The organization reported “security exploitation on the ARCHER logic nodes” and decided to shut down the system for further investigation. In order to prevent any further intrusions, it also decided to reset SSH password. ZDNet further notes that bwHPC, which coordinates research projects across supercomputers in the state of Baden-Württemberg, Germany also announced a similar incident on Monday.
Supercomputers hacked for cryptocurrency mining
It reportedly had to shut down five of its high-performance computing clusters. This includes:
The Hawk supercomputer at the High-Performance Computing Center Stuttgart (HLRS) at the University of Stuttgart
The bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
The bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University
The bwForCluster BinAC bioinformatics supercomputer at the Tübingen University
Security researcher Felix von Leitner wrote in a blog post that a supercomputer in Barcelona, Spain has also been impacted by a security issue. More incidents surfaced on Thursday including the first one from the Leibniz Computing Center (LRZ). On Saturday, German scientist Robert Helling published an analysis of the malware that infected a high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany. The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also shut down external access to its supercomputer infrastructure.
While none of the organizations affected have published any details, the cause is believed to compromised SSH logins. The Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI) has released malware samples and network compromise indicators from some of these incidents. These samples were reviewed earlier today by Cado Security, a US-based cybersecurity firm. The firm said that the attacker seems to have gained access via compromised SSH credentials. The credentials, according to the company, have been stolen from university members with access to the supercomputers.
Chris Doman, Co-Founder of Cado Security, told ZDNet that these attacks might have been carried out by same threat actor. Doman further noted that once the attackers gained access to a supercomputing node, they used an explot for the CVE-2019-15666 vulnerability to gain root access. They then deployed an application that mined the Monero (XMR) cryptocurrency. All of these supercomputer networks were prioritizing research on the COVID-19 outbreak. This is the first time that hackers have run cyrptocurrency mining malware on supercomputers, raising serious concerns.