The hackers managed to install cryptocurrency mining malware on several supercomputers across Europe which have now had to be stopped while they investigated. Security incidents have been reported at supercomputer facilities in the UK, Germany and Switzerland, while a similar rumor has also occurred at a high-performance computing center in Spain. The University of Edinburgh, which manages the ARCHER supercomputer, suffered the first attack and the organization reported that it had disabled system access and reset SSH passwords due to security exploits on ARCHER connection nodes. On the same day, the organization responsible for coordinating research projects between supercomputers on Earth in Baden-Württemberg, Germany, announced that five of its high-performance computing clusters had been shut down due to security incidents. similar. Later in the week, the Leibniz Computer Center (LRZ) of the Bavarian Academy of Sciences announced that it had disconnected a group of computers from the Internet following a security breach. Officials at the Julich Research Center announced the shutdown of the JURECA, JUDAC, and JUWELS supercomputers after a computer security incident. The Technical University of Dresden has also announced that it will also shut down its Taurus supercomputer.
Target supercomputers
While none of the organizations whose supercomputers were affected by these security incidents have released details about them, the Computer Security Incident Response Team (CSIRT) for the European Network Infrastructure (EGI) has released software samples Malicious Indicators and network compromise for some of the attacks. . After examining these malware samples, UK-based cybersecurity firm Cado Security believes that attackers like to gain access to clusters of supercomputers using compromised SSH credentials. These credentials appear to have been stolen from university personnel in Canada, China and Poland who had access to supercomputers to perform complex and demanding computing tasks. Cado Security co-founder Chris Doman told ZDNet that similar malicious file names and network hints suggest that these security incidents may have been caused by the same threat actor. According to his analysis, the attacker exploited the CVE-2019-15666 vulnerability in the Linux kernel to access the root, then deployed an application to exploit the Monero cryptocurrency. Having to shut down this number of supercomputers at once due to security incidents is unprecedented, and unfortunately many of these systems were used to research and study Covid-19 at the time. via ZDNet