Crooks have compromised supercomputers across Europe to deploy cryptocurrency miners, incidents have been already reported in the UK, Germany, and Switzerland. Rumors are circulating about a similar infection of a supercomputer located in Spain.
The supercomputers have shut down to investigate the security breaches.
On Monday, the German bwHPC organization announced that five of its supercomputers had to be shut down due to a cryptominer infection.
Below the message published by the organization:
“Dear users, due to an IT security incident the state-wide HPC systems
Another system that was reportedly infected early last week, is the ARCHER supercomputer at the University of Edinburgh.
“Due to a security exploitation on the ARCHER login nodes, the decision has been taken to disable access to ARCHER while further investigations take place.” reads the status page for the system.
“As you may be aware, the ARCHER incident is part of a much broader issue involving many other sites in the UK and internationally. We are continuing to work with the National Cyber Security Centre (NCSC) and Cray/HPE and further diagnostic scans are taking place on the system.”
The organization reset SSH passwords in response to the incident.
On Wednesday another supercomputer was compromised the system was located in Barcelona, Spain and the infection was reported by security researcher Felix von Leitner.
“More incidents surfaced the next day, on Thursday. The first one came from the Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences, which said it was disconnected a computing cluster from the internet following a security breach.” reported ZDNet.
“The LRZ announcement was followed later in the day by another from the Julich Research Center in the town of Julich, Germany. Officials said they had to shut down the JURECA, JUDAC, and JUWELS supercomputers following an “IT security incident.”
Other similar incidents made the headlines, on Saturday a high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany was infected with a malware.
The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also reported a cyber incident and it shut down any external access to its infrastructure in response to the security breach.
“CSCS detected malicious activity in relation to these attacks. Due to this situation, the external access to the centre has been closed until having restored a safe environment. The users were informed immediately and are kept up to date. Not affected are the weather forecasts of MeteoSwiss, which are also calculated at CSCS.” reads the security advisory.
“We are currently investigating the illegal access to the centre. Our engineers are actively working on bringing back the systems as soon as possible to reduce the impact on our users to a minimum” says CSCS-Director Thomas Schulthess.”
Today, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure has released technical details of a malware involved in these incidents.
Researchers from security firm Cado Security also released Indicators of Compromise (IoCs).
ZDNet, citing the opinion of a security researcher, speculates that threat actors have exploited the CVE-2019-15666 vulnerability to gain root access to the supercomputers then deploy a Monero (XMR) cryptocurrency miner.
Other experts speculate that the supercomputers were hacked by nation-state actors because they were involved in the research on the COVID-19 outbreak.
(SecurityAffairs – supercomputers, hacking)