Hackers attack European supercomputers with crypto miner

Several supercomputers in Europe were infected last week with a malware for digging up cryptocurrencies. The unknown perpetrators targeted systems in Great Britain, Germany and Switzerland, among others. Some of the high-performance computers had to be switched off as part of the investigations.

Supercomputers cryptocurrency mining hack

The University of Edinburgh reported the first incident a week ago. She reported an attack on the login nodes of the supercomputer Archer. In order to prevent further intrusion attempts, the system has been shut down and the SSH passwords have been reset.

In Germany, it met several members of the bwHPC, to which ten universities in Baden-Württemberg belong, including the Hawk supercomputer of the University of Stuttgart, the bwUniCluster 2.0 and the Forhlr-II cluster at the Karlsruhe Institute of Technology, bwForCluster Justus at ULM University and bwForCluster at Tübingen University.

On Thursday, the Leibniz Supercomputing Center of the Bavarian Academy of Sciences also admitted a break-in in its systems. As a result, a computing cluster has been disconnected from the Internet. On the same day, the Forschungszentrum Jülich also shut down the supercomputers Jureca, Judac and Juwels. According to an analysis of the malware by researcher Robert Helling, which was published at the weekend, an HPC cluster from the Physics Faculty of the Ludwig Maximilian University in Munich was also infected.

Finally, the Swiss Center of Scientific Calculations in Zurich reported that it had shut down external access to its supercomputer infrastructure. Also in this message in talk of a cyber incident.

This several Supercomputers across Europe were attacked by hackers who broke in with the intention of mining crypt.

The affected institutions have not yet made any comments on the details of the attacks. However, the Computer Security Incident Response Team of the European Grid Infrastructure, which coordinates research on supercomputers in Europe, published patterns of malicious software as well as information on possible indications suggesting an infection.

The samples were investigated by the US security provider Cado Security, among others. The attackers compromised the supercomputers via stolen SSH credentials. The registration data belonged to universities in China, Canada and Poland. According to Chris Doman, co-founder of Cado Security, there is no clear evidence that all incidents go to an attacker’s account, but similar filenames of the malware suggest this.

For example, the attackers have always used an exploit for a vulnerability with the CVE-2019-15666 identifier to gain root privileges. They would have introduced an application that generates the cryptocurrency Monero.

The attacks may have an impact on research into the COVID-19 pandemic. Some of the now shut down systems had announced in recent weeks that they would prioritize research on the novel corona virus.  full-width