Multiple supercomputers across Europe that are working on COVID-19 research have been targeted by cryptocurrency-mining attacks over the past week. The reports of the incursions started pouring in last Monday, when supercomputers in the United Kingdom and Germany were among the first victims.
Last Monday, the UK’s National Supercomputing Service ARCHER announced that it’d disabled access to its system following the exploitation of its login nodes. The incident is under investigation; according to the notice on the organization’s website, all of the Secure Shell (SSH) keys and ARCHER passwords will be rewritten and no longer be valid. “When ARCHER returns to service all users will be required to use two credentials to access the service: an SSH key with a passphrase and their ARCHER password,” said the center.
Meanwhile, the Baden-Württemberg High Performance Computing of Germany said on its website that it was attacked on the same day as well, leading it to take five of its clusters offline citing a security incident.
However, it wasn’t the only German supercomputer center to be hit. On Thursday, the Leibniz Supercomputing Centre announced that it was temporarily closing access, with the Jülich Supercomputing Centre following suit by taking its JURECA, JUDAC, and JUWELS systems offline due to a “security incident”.
BleepingComputer said that as many as nine German supercomputers may have fallen victim to the attacks.
And that’s still not all. The Swiss National Super Computing Center also acknowledged an attack and said over the weekend that academic centers in Europe and around the world alike were fighting off cyberattacks and since it detected malicious activity as well, it was shutting off external access to its center.
“We are currently investigating the illegal access to the center. Our engineers are actively working on bringing back the systems as soon as possible to reduce the impact on our users to a minimum,” said CSCS’ director Thomas Schulthess.
The European Grid Infrastructure (EGI) published the findings of its Computer Security Incident Response Team (EGI-CSIRT), which investigated two of the security incidents that may or may not be related. Based on their analysis, the bad actor used compromised SSH credentials to gain access to the systems and use them to mine Monero. EGI-CSIRT pointed out that there are victims in Europe, as well as in China and North America; however, it wasn’t able to confirm how the SSH credentials were stolen.
As of now, there is no official statement on whether the attacks were carried out by one threat actor or by various groups. But one might speculate that there might be some relation between them, since the targets were similar, and the attacks were carried out over the span of one week.
ESET cybersecurity specialist Jake Moore had this to say about the attacks: “What’s interesting about this is that it seems hackers have targeted the supercomputers completely remotely for the first time, as before there has always been an insider who installs the cryptomining malware used for the attack. All the SSH login credentials will now need resetting, which may take a while, but this is vital to stop further attacks. Once a list of credentials is compromised, it is a race against time to have these reset. Unfortunately, the lead time is usually enough of a head start for threat actors to take advantage of the mining software,” he added.