Supercomputer Hacking Frequents in Europe Due to Crypto Mining

Published: 01/06/2020 | Last Updated: 05/06/2020

Several supercomputers were infected with cryptocurrency mining malware across Europe this week. The infected supercomputers have shut down to investigate the invasion.

The security incidents have been reported in the United Kingdom, Germany, and Switzerland. It is rumored that the same intrusion happened at a high-performance computer in Spain.

Who was attacked?

The first report of an attack flared up on Monday. The report came from the University of Edinburgh. The organization is the one responsible for running the ARCHER supercomputer. According to the organization report, the security exploitation on login nodes shuts the ARCHER system into the investigation.

The organization reset the SHH passwords to avoid further intrusions.

The bwHPC is an organization that is located at the state of Baden-Württemberg, Germany. The organization of bwHPC coordinates research projects across supercomputers located in the mentioned state.

The organization also announced on Monday that five of its high-performance computing clusters had shut down. The shut down was because of similar security incidents.

On Wednesday, reports continued with security researcher Felix von Leitner’s claim in a blog post. According to the security researcher’s blog post, a security issue also crushed a supercomputer housed in Barcelona, Spain. The security issue also caused the shut down of the supercomputer as a result.

More incidents came to light on the next day. The first one was from an institute under the Bavarian Academy of Science, Leibniz Computing Center (LRZ). The LRZ said that it was disconnected a computing cluster from the internet after a security attack.

Following the announcement from LRZ, Julich Research Center, located in the town of Julich, Germany also reported an incident. The officials said that due to an IT security incident, they had to shut down JURECA, JUDAC, and JEWELS supercomputers.

The same incident happened to Technical University in Dresden. Technical University announced that they had to shut down their Taurus supercomputer also.

On Saturday, new incidents were reported. German scientist Robert Helling published an analysis on a malware that infected high-performance computing cluster at the Faculty of Physics at Ludwig-Maximillian’s University.

Following a cyber-incident and having restored a safe environment, Zurich-based Swiss Center of Scientific Computations shut down the external access to its supercomputer infrastructure.

What These Organizations Know So Far

The state organizations above failed to publish the details of the hacking. The Computer Security Incident Response Team (CSHIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers throughout Europe, provided samples and network compromise indicators from some of the incidents on May 16.

Cado Security, a UK based cyber-security firm, analyzed the samples on that same day and reported that the hackers seem to have gained access to the supercomputer clusters through compromised SHH credentials, which appeared to be stolen from university with access to supercomputers to run computing jobs. Stolen SHH logins were registered from universities from Canada, China, and Poland.

Chris Doman, the co-founder of Cado Security, confirmed that similar filename and network indicators suggest that a single culprit made the crime. However, no evidence indicates that the same group made hacking.

In his analysis, Doman said that attackers exploit the CVE-2019-15666 gain root access after their access to a computing node. The attackers then deployed an application that mines Monero (XMR) cryptocurrency.

The announcement of many supercomputers that went down this week in the previous week makes matters worse. They had announced that they would prioritize the research on the COVID-19 outbreak.

Not the First Time to Happen

These incidents of installing crypto-mining malware on supercomputers are not the first time. However, this is a feat considering a hacker did this. In the past incidents, usually, an employee is the one who installed the crypto-mining malware. The said employee typically does this for personal gain.

The Russian authorities’ arrest of the engineers from the Russian Nuclear Center serves as an example. A similar case at the Bureau of Meteorology was under investigation in Australia, where an employee was caught using the agency’s supercomputer to mine cryptocurrency.