European supercomputers hacked and forced to mine cryptocurrency

[DronVR]

European supercomputers hacked and forced to mine cryptocurrency

Supercomputers across Europe were attacked: heavy duty machines forced secretly to mine cryptocurrency. Reports of such incidents came from the UK, Germany and Switzerland, and, according to unconfirmed reports, a high-performance computer center in Spain suffered from a similar attack.

First attack message arrived last week from the University of Edinburgh, which houses the ARCHER supercomputer. As we already wrote, the administration was forced to suspend the work of ARCHER, as well as reset SSH passwords to prevent further attacks.

Then the German organization BwHPC, which coordinates research projects on supercomputers in Germany, also announced that five of its high-performance computing clusters will be temporarily unavailable due to similar problems. Disabled:

• Hawk supercomputer installed at the University of Stuttgart at the High-Performance Computing Center Stuttgart;​
• bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology;​
• bwForCluster JUSTUS supercomputer, hosted by the University of Ulm and used by chemists and quantum computer scientists;​
• bwForCluster BinAC supercomputer installed at the University of Tübingen and used by bioinformatics.​

After that, IB researcher Felix von Leitner reported on his blog that a supercomputer located in Spain was also attacked, as a result of which it temporarily does not work.

Last Thursday, hacking messages continued to arrive. So oh hacking said representatives The Leibniz Computing Center, operating under the patronage of the Bavarian Academy of Sciences. Due to the attack, the computing cluster was disconnected there.

On the same day, the Julich Research Center, in Germany, also reported compromise. Officials said they had to close access to supercomputers JURECA, JUDAC and JUWELS.

Technical University Dresden on this day announced that is forced to suspend the operation of its supercomputer Taurus.

Last weekend, the Swiss Center for Scientific Computing (CSCS) in Zurich also was forced close external access to its supercomputer infrastructure due to an attack.

Interestingly, none of the above organizations published almost any details of what happened. Only now has the situation begun to clear up: experts from CSIRT (a European organization that coordinates research on supercomputers throughout Europe) released samples of malvari and indicators of compromise for some of the incidents.

Also last weekend, German expert Robert Helling published an analysis of malvari, that infected a high-performance computing cluster at the physics department of the Ludwig-Maximilian University in Munich.

The malware samples released by experts have already been analyzed Cado Security analysts. The company writes that the attackers seem to have gained access to supercomputer clusters through compromised SSH credentials (as previously confirmed by the ARCHER administration).

Apparently, the credentials were stolen from university staff, who were given access to supercomputers to perform the calculations. The “stolen” SSH data belonged to universities in Canada, China and Poland.

Although there is no conclusive evidence that all attacks were carried out by the same hacker group, similar malvari file names and network indicators indicate that the same people could be behind all the incidents.

Cado Security researchers believe that after gaining access to the supercomputer node, hackers used an exploit for vulnerability CVE-2019-15666 , which allowed them to provide themselves with root access and deploy the Monero cryptocurrency miner (XMR) on the infected supercomputer.

However, it is worth noting one more interesting fact that we already paid attention to last week: many organizations whose supercomputers were attacked previously announced that they give priority to research related to COVID-19. In the end, there is a theory that hackers wanted to steal the results of these studies or simply sabotage them.

Source

 

[Матушкин Андрей Николаевич]

Supercomputers across Europe were attacked: heavy duty machines forced secretly to mine cryptocurrency. Reports of such incidents came from the UK, Germany and Switzerland, and, according to unconfirmed reports, a high-performance computer center in Spain suffered from a similar attack.

Thank! Extremely interesting information!

 

[Администратор]

Supercomputers across Europe were attacked: heavy duty machines forced secretly to mine cryptocurrency. Reports of such incidents came from the UK, Germany and Switzerland, and, according to unconfirmed reports, a high-performance computer center in Spain suffered from a similar attack.

First attack message arrived last week from the University of Edinburgh, which houses the ARCHER supercomputer. As we already wrote, the administration was forced to suspend the work of ARCHER, as well as reset SSH passwords to prevent further attacks.

It's only the beginning.

 

[Макаров Виталий Николаевич]

Thanks for the interesting stuff!