Several high-performance computers (HPCs) and data centers used for research projects have been shut down this week across Europe due to security incidents.
Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumored to have also happened at a high-performance computing center located in Spain.
The first report of an attack came to light on Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The organization reported “security exploitation on the ARCHER login nodes,” shut down the ARCHER system to investigate, and reset SSH passwords to prevent further intrusions.
The bwHPC, the organization that coordinates research projects across supercomputers in the state of Baden-Württemberg, Germany, also announced on Monday that five of its high-performance computing clusters had to be shut down due to similar “security incidents.” This included:
- The Hawk supercomputer at the High-Performance Computing Center Stuttgart (HLRS) at the University of Stuttgart
- The bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
- The bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University
- The bwForCluster BinAC bioinformatics supercomputer at the Tübingen University
Reports continued on Wednesday when security researcher Felix von Leitner claimed in a blog post that a supercomputer housed in Barcelona, Spain, was also impacted by a security issue and had been shut down as a result.
Leibniz Supercomputing Center on Thursday notified users that a security incident affected its high-performance computers, prompting the institute to isolate them from the outside world.
A similar note was posted for the Taurus system at the Technical University in Dresden: “Due to a security issue we have temporarily closed access to Taurus.”
ATTACKERS GAINED ACCESS VIA COMPROMISE SSH LOGINS
None of the organizations above published any details about the intrusions. However, earlier today, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers across Europe, has released malware samples and network compromise indicators from some of these incidents.
The malware samples were reviewed earlier today by Cado Security, a US-based cyber-security firm. The company said the attackers appear to have gained access to the supercomputer clusters via compromised SSH credentials.
The credentials appear to have been stolen from university members given access to the supercomputers to run computing jobs. The hijacked SSH logins belonged to universities in Canada, China, and Poland.
Chris Doman, Co-Founder of Cado Security, told ZDNet today that while there is no official evidence to confirm that all the intrusions have been carried out by the same group, evidence like similar malware file names and network indicators suggests this might be the same threat actor.
According to Doman’s analysis, once attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero (XMR) cryptocurrency.
Making matters worse, many of the organizations that had supercomputers go down this week had announced in previous weeks that they were prioritizing research on the COVID-19 outbreak, which has now most likely been hampered as a result of the intrusion and subsequent downtime.
Supercomputers are extremely powerful systems built on traditional hardware to perform high-speed computations. They are used mainly for scientific work and testing mathematical models for complex physical phenomena and designs.
