Many Supercomputers across Europe became infected this week with malicious cryptocurrency mining software and stopped working to investigate the intrusions.
Incidents have been reported in the United Kingdom, Germany and Switzerland, and a similar raid is rumored to have taken place at a high-performance computer center in Spain.
Η first report of the attack emerged on Monday from the University of Edinburgh, which operates the ARCHER supercomputer. The University reported a "security exploit in ARCHER connection nodes", and shut it down system ARCHER to further investigate the attack. Changed passwords via SSH to prevent further intrusions.
BwHPC is an organization that coordinates supercomputer research projects in Baden-Württemberg, Germany, and he said also on Monday that five of the high performance computer clusters had to be shut down due to similar “incidents security"
The Hawk supercomputer at the Stuttgart High-Performance Computing Center (HLRS) at the University of Stuttgart
BwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
The bwForCluster for quantum science research at the University of Ulm
The bwForCluster BinAC bioinformatics supercomputer at the University of Tübingen
Reports continued Wednesday when security investigator Felix von Leitner claimed in a Publication that a supercomputer housed in Barcelona, Spain, was also affected by a similar security issue and had to be shut down.
Περισσότερα περιστατικά εμφανίστηκαν την επόμενη μέρα, την Πέμπτη. Το πρώτο προήλθε από το Leibniz Computing Center (LRZ), ένα ινστιτούτο της Βαυαρικής Ακαδημίας Επιστημών, το οποίο είπε ότι αποσύνδεσε ένα σύblueγμα υπολογιστών από το Διαδίκτυο μετά από μια παραβίαση ασφαλείας.
LRZ's announcement was followed later that day by another research center. The Julich Center in the German city of Julich said the JURECA, JUDAC and JUWELS supercomputers had to be shut down following a "security incident".
New violations appeared and today Saturday. The German scientist Robert Helling he published an analysis of malware infecting a high-performance computer complex at the School of Physics at Ludwig-Maximilians University in Munich, Germany.
The Swiss Center for Scientific Computations (CSCS) in Zurich, Switzerland closed also external access to its supercomputer infrastructure after a "cyber-incident" and "until it restores a secure environment".
None of the above have released details of the hacks. However, earlier today the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates the research for supercomputers across Europe, has been released samples of malware from some of these incidents.
The malware samples were tested today by Cado Security, a US-based cyber security company. The company said the attackers appeared to have gained access to the supercomputers' clusters through compromised SSH credentials.
Credentials appear to have been stolen by university members who have access to supercomputers. The incoming SSH connections came from universities in Canada, China and Poland.
Chris Doman, co-founder of Cado Security, told ZDNet today that while there is no official evidence to suggest that all of these intrusions were carried out by the same team, the identical names of the malware files suggest that this is very likely. .
According to Doman analysis, once intruders gain access to a supercomputer node, they use an exploit for vulnerability CVE-2019-15666 which helps them gain root access. Then they installed an application for mining Monero (XMR).
It should be noted that many of the supercomputers that have stopped operating have given priority to COVID-19 research, which of course has now stopped as a result of the invasion.
