Supercomputers Across The EU Are Being Targeted By Hackers To Mine Cryptocurrency

A number of supercomputers across Europe have been targeted by malware that focuses on mining for cryptocurrency (Monero). The malware has forced supercomputers in the UK, Germany, and Switzerland to be shutdown as operators investigate the security incidents. The high-performance computing center in Spain was also reportedly targeted by a malware attack.

The first reported attack surfaced last Monday and came from the University of Edinburg, home of the ARCHER supercomputer. The university reported that there was a "security exploitation on the ARCHER login nodes." ARCHER operators shutdown the system for an investigation, and all SSH passwords were reset to prevent further intrusions.

In Germany, an organization that coordinates research projects across supercomputers within the state of Baden-Württemberg reported similar security intrusions with five of its high-performance computing clusters, requiring them each to be shutdown. That attack impacted the Hock supercomputer at the University of Stuttgart, the bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology, Ulm University's bwForCluster JUSTUS chemistry and quantum science supercomputer, and the bwForCluster BinAC bioinformatics supercomputer at Tübingen University.

On Wednesday, security researcher Felix von Leitner claimed that a supercomputer in Barcelona was also impacted by a security issue and shutdown. On Thursday, the Leibniz Computing Center (LRZ) at the Bavarian Academy of Sciences was forced to disconnect a computing cluster after a security breach was discovered. The same day, the Julich Research Center announced that it had to shutdown the JURECA, JUDAC, and JUWELS supercomputers after a security incident. Other systems impacted by security issues included one at Ludwig-Maximilians University in Munich and a system at the Swiss Center of Scientific Computations in Zurich.

While none of the organizations have given any further explanation on the security issues that forced the supercomputers to be taken offline, details have surfaced via other organizations. The Computer Security Incident Response Team from the European Grid Infrastructure released malware samples and network compromise indicators from some of the incidents. Those samples were reviewed by Cado Security, a cybersecurity company in the United States. Cado reported that the attackers appeared to have gained access to the impacted supercomputers via compromised SSH credentials.

The security firm reports the credentials appeared to have been stolen from university staff who had been given access to the supercomputers. Stolen credentials reportedly belong to staffers from universities located in Canada, China, and Poland. Cado Security did report that there was no official evidence to confirm that all of the attacks had been carried out by the same group. However, similar malware filenames and network indicators suggest the attacks were perpetrated by the same group.

Once the attackers had access, they used an exploit for the CVE-2019-1566 vulnerability to gain root access and deploy malware to mine Monero cryptocurrency. Several of these supercomputers had been prioritizing COVID-19 research, and the forced shutdowns will impact that research. COVID-19 research is a top priority all around the world, recently Folding@home was ranked as the world's fastest supercomputer churning out 2.4 ExaFLOPS for COVID-19 research.