A group of cybercriminals has successfully installed malware to mine cryptocurrency on various supercomputers across Europe, which have been forced to shut down for the duration of the investigation according to ZDNet.
The University of Edinburgh, which manages the ARCHER supercomputer, suffered the first attack, and the organization reported that it had disabled access to the system and changed the access passwords for SSH due to a security flaw in the access nodes.
On the same day, the organization responsible for coordinating research projects for supercomputers in the German state of Baden-Württemberg, bwHPC, announced that five of its high-performance computing clusters were closed in the wake of a similar security incident.
Days later, the Leibniz Computing Center of the Bavarian Academy of Sciences (LRZ) announced that it had disconnected a computing cluster from the Internet after a security breach.
Representatives from the Julich Research Center announced that they shut down the JURECA, JUDAC and JUWELS supercomputers after a computer security incident. The Technical University of Dresden also announced that it had to shut down its Taurus supercomputer.
Although none of the organizations whose supercomputers have been affected by these security incidents have published any details about what happened, the Computer Security Incident Response Team (CSIRT) of the European Network Infrastructure (EGI) has published malware samples and evidence that the network was compromised in some attacks.
After reviewing the malware samples, cybersecurity company Cado Security believes that the attackers accessed the supercomputer clusters using compromised SSH credentials. These credentials appear to have been stolen from university staff in Canada, China, and Poland, who were given access to supercomputers to perform demanding and complex computing jobs.
Based on their analysis, the attacker exploited the Linux kernel vulnerability CVE-2019-15666 to gain root access and then deployed an application to mine Monero’s cryptocurrency.
Never before has it been necessary to disconnect so many supercomputers at once due to a security incident. Many of these systems were being used for COVID -19 research at this time.