Posted on May 17, 2020 at 2:19 PM
A recent report revealed that unknown hackers have compromised several supercomputers with crypto-mining malware. As a result, the computers have been shut down to allow room for an investigation into the infiltration.
The security breach was reported in Switzerland, Germany, and the UK. In a similar development, there have been reports that a similar intrusion has occurred at a high-performance computer center in Spain.
The University of Edinburgh revealed the first report of the hacking incident on Monday. The University operates the ARCHER supercomputer, and it revealed there were security infiltrations on the ARCHER login nodes. The institution took the first security action by shutting down the ARCHER system to properly investigate the breach and reset SSH passwords to thwart future damage to the system.
Series of supercomputers infiltrated in Germany
Within the same period, bwHPC, the institution responsible for coordinating research projects on supercomputers in the German state, Baden-Württemberg, also announced an attack on five of the supercomputers. As a result, it had to shut down those systems to keep other sections of the supercomputer safe from infiltration.
The supercomputers infected were Tubingen University’s bwForCluster BinAC bioinformatics supercomputer, Ulm University’s JUSTUS quantum science supercomputer, the Karlsruhe Institute of Technology (KIT) ForHLR II clusters and bwUniCluster 2.0 supercomputer, as well as the Hawk supercomputer at the University of Stuttgart.
Another supercomputer affected in Spain
On Wednesday, another report revealed that a supercomputer in Barcelona, Spain, has also been infected. Security researcher Felix Leitner reported that a security issue has impacted a supercomputer in Spain, and the handlers of the computer have automatically shut it down to prevent future negative impacts.
Then on Thursday, more reports of infection in supercomputers came to light. The first report came from Leibniz Computer Center (LRZ) were the handlers said there was a security breach in the computer system, which led to the shutdown of its computer cluster from the internet.
Later in the day, there was another report from Julish Research in Germany, detailing the infiltration of three of its supercomputers and eventual shutdown to prevent future attacks. From the report, they had to shut down JUWELS, JUDAC, and JURECA supercomputers to keep them from further exposure from the infiltration.
Another supercomputer in Switzerland suffered a breach as the Swiss Center for Scientific Computations (CSCS) was forced to shut down its supercomputer following a malicious attempt to infiltrate the computer. CSCS revealed the supercomputer will remain shut down until it has restored a safe environment.
Then yesterday, there was a report of new breaches on another supercomputer as Robert Helling, a German scientist, published a report on malware. According to Robert, the malware infiltrated a supercomputer cluster at the faculty of Physics at the University of Munich, Germany.
Access gained through vulnerable SSH logins
No organizations and institutions that recorded supercomputer breaches did publish any details regarding how hackers infiltrated their systems. Nonetheless, the European Grid Infrastructure (EGI) incident response team released network compromise indications and malware samples from some of the incidents.
From the report, most of the infiltrations could have occurred due to vulnerable SSH logins. It appears that the hackers stole credentials from university members who were granted access to the supercomputer to solve different computing issues. The stolen SSH logins belonged to universities in Poland, China, and Canada.
The attack could have come from one hacking group
According to the Co-founder of Cado security firm, Chris Doman, a particular hacking group could have carried out the attack. He said although there may be no evidence that suggests the attacks were perpetrated by one hacking group, some indications are showing familiar network indicators and malware file names. Therefore, according to Doman, the same threat actor may be responsible for those attacks, considering that they compromised the systems within the same period.
From his analysis, the attackers used the exploit for CVE-2019-15666 vulnerability after gaining access to the supercomputer mode. After gaining access, they mined the Monero (XMR) cryptocurrency after deploying the application.
To make the connection plausible, most of the affected organizations recently announced they were prioritizing their research on the COVID-19 pandemic. That goes to prove further that the hackers may have come from the same group.
Because of the shutdown and subsequent downtime, the research on COVID-19, using these infected supercomputers, would now be put on hold.