Many Supercomputers across Europe were infected this week with malware cryptocurrency mining and stopped working to investigate the intrusions.
Incidents have been reported in the United Kingdom, Germany and Switzerland, and a similar raid is rumored to have taken place at a high-performance computer center in Spain.
OR first report of the attack appeared on Monday from the University of Edinburgh, which manages the ARCHER supercomputer. The University reported a "security operation at the ARCHER connection nodes", and shut down the ARCHER system to further investigate the attack. Change passwords via SSH to prevent further intrusions.
BwHPC is an organization that coordinates supercomputer research projects in Baden-Württemberg, Germany, and announced also on Monday that five of the high-performance computer clusters had to be shut down due to similar "security incidents":
The Hawk supercomputer at the Stuttgart High-Performance Computing Center (HLRS) at the University of Stuttgart
BwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
The bwForCluster for research in quantum science at the University of Ulm
The bwForCluster BinAC bioinformatics supercomputer at the University of Tübingen
Reports continued Wednesday when security investigator Felix von Leitner claimed in a Publication that a supercomputer housed in Barcelona, Spain, was also affected by a similar security issue and had to be shut down.
More incidents occurred the next day, Thursday. The first came from the Leibniz Computing Center (LRZ), an institute of the Bavarian Academy of Sciences, which said it disconnected a computer complex from the Internet after a security breach.
LRZ's announcement was followed later that day by another research center. The Julich Center in Julich, Germany, said the JURECA, JUDAC and JUWELS supercomputers had to be shut down following a "security incident".
New violations appeared and today Saturday. The German scientist Robert Helling published an analysis of malware infecting a high-performance computer complex at the School of Physics at Ludwig-Maximilians University in Munich, Germany.
The Swiss Center for Scientific Computations (CSCS) in Zurich, Switzerland closed also external access to its supercomputer infrastructure after a "cyber-incident" and "until it restores a secure environment".
None of the above posted details of the invasions. Earlier today, however, the Computer Security Incident Response Team (CSIRT) for European Grid Infrastructure (EGI), a pan-European organization that coordinates supercomputer research across Europe, launched samples of malware from some of these incidents.
The malware samples were tested today by Cado Security, a US-based cyber security company. The company said the attackers appeared to have gained access to the supercomputers' clusters through compromised SSH credentials.
Credentials appear to have been stolen by university members who have access to supercomputers. The incoming SSH connections came from universities in Canada, China and Poland.
Chris Doman, co-founder of Cado Security, told ZDNet today that while there is no official evidence to suggest that all of these intrusions were carried out by the same team, the identical names of the malware files suggest that this is very likely. .
According to Doman analysis, as soon as intruders gain access to a supercomputer node, they use an exploit for vulnerability CVE-2019-15666 which helps them gain root access. They then installed a Monero mining application (XMR).
It should be noted that many of the supercomputers that stopped working had given priority to COVID-19 research, which of course has now stopped as a result of the invasion.