Hackers compromise Supercomputers across Europe with cryptominers

Supercomputers in Switzerland, Germany, Spain, and the UK were hacked in the attack.

Incidents involving supercomputers getting infected with crypto-mining malware by company employees to gain monetary benefits have been reported in the past. But, this is the first time that hackers have managed to accomplish the same on a large scale proving that even supercomputers are prone to hacking nowadays. 

According to reports, there have been multiple incidents across the UK, Switzerland, Germany, and other parts of Europe including a high-performance computer facility in Spain, where unknown hackers installed cryptocurrency mining malware in supercomputers.  The computers have now been shut down until the investigations are underway. 

See: Hackers mining Monero on Microsoft SQL databases for last 2 years

The first such incident was reported last week by the University of Edinburgh running the ARCHER supercomputer. It was observed that somebody tried to exploit the logic nodes of the supercomputer. The organization immediately shut it down after resetting its SSH password to prevent further intrusion.

On Monday, a similar incident was reported by the bwHPC, which is responsible for coordinating research projects across supercomputers located in the state of Baden-Württemberg, Germany.

Resultantly, five of the most high-performing computing clusters were shut down including bwUniCluster 2.0 (a) and ForHLR II clusters (b) (Karlsruhe Institute of Technology), bwForCluster JUSTUS chemistry (c) and quantum science supercomputer (d) (Ulm University), and bwForCluster BinAC bioinformatics supercomputer (e) (Tübingen University) and the Hawk supercomputer (f) (University of Stuttgart).

Security researcher Felix von Leitner reported that a Barcelona, Spain-based supercomputer has been affected as well. The reports of incidents kept surfacing until Thursday when the Leibniz Computing Center (LRZ) also reported a security exploitation incident. 

On Saturday, a German scientist Robert Helling reported about a high-performance computer cluster located at the Ludwig-Maximilians University, Munich, Germany, getting infected while Zurich, Switzerland-based Swiss Center of Scientific Computations also shut down all external access points to its supercomputers. 

Despite so many incidents of supercomputers getting infected across Europe, none of the affected organizations have released details of their investigations. It is, however, speculated that the reason for such a wide-scale infection in supercomputers is compromised SSH logins.

Some malware samples and network compromise indicators released by the Computer Security Incident Response Team (CSIRT) for European Grid Infrastructure (EGI) were examined by a US cybersecurity firm Cado Security.

The US firm revealed that the attacker may have accessed the supercomputers using compromised SSH credentials, which might have been stolen from university members having access to the devices for running computing jobs. The hacked SSH logins belonged to universities located in Poland, Canada, and Chins.

See: Crypto mining at a nuclear plant in Ukraine

Cado Security co-founder Chris Doman believes that the same attacker is responsible for carrying out these attacks. After gaining access to a supercomputing node, the attacker was able to obtain root access by exploiting a CVE-2019-15666 vulnerability and then deployed an application to mine for Monero (XMR) cryptocurrency.  

Interestingly, all the compromised supercomputer networks were being used in on-going research on the COVID-19 pandemic. 

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.