Several supercomputers across Europe have been compromised in order to exploit the massive computational speed of the supercomputers for cryptocurrency mining. According to reports, supercomputers in the UK, Germany, Switzerland and Spain have been shut down to prevent further intrusion and for analyzing the reasons behind the attacks.
The Chain of Cyberattacks
The chain of cyberattacks began last week with an attack on the HPC centers in Germany, followed by an identical attack on the UK-based the University of Edinburgh. The supercomputers called ARCHER located in the University of Edinburgh were taken down immediately for further investigations.
Germany-based organisation bwHPC, which is responsible for coordinating research projects across supercomputers in the state of Baden-Württemberg, has said that five of its supercomputers have been shut down following similar security incidents.
The list published by bwHPC includes the University of Stuttgart's High-Performance Computing Center Stuttgart (HLRS) supercomputer dubbed Hawk, the bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT), bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University, and bwForCluster BinAC bioinformatics supercomputer at Tübingen University.
The following day, security researcher Felix von Leitner confirmed through a blog post that supercomputers in Barcelona, Spain, had been hunted down through a similar attack.
The researcher claimed instances of a backdoor in many of the HPC-based systems in Germany. He also claimed that they could not identify the attack vectors or anything more about the kill chain yet.
The attacks continued on Thursday when a large computing cluster at the Leibniz Computing Center of the Bavarian Academy of Sciences system was reportedly taken off following a cybersecurity breach. Later on the same night, another Germany-based research institute, Julich Research Center from the town of Julich, shut down its three supercomputers - Jureca, Judac and Juwels - following a security breach.
On May 15, a German scientist named Robert Helling blogged about the analysis of the malware which infected the faculty of physics at the Ludwig-Maximilians University in Munich. The attackers used compromised SSH logins to gain control of the system.
Switzerland-based Swiss Center of Scientific Computations (CSCS) shut down its supercomputing clusters following an attack.
Security Analysis
Though none of these entities has revealed further details about the attacks, Codo Security, a US-based cybersecurity firm, has confirmed that the attackers intruded into the systems by compromising the SSH credentials. Chris Doman, Co-Founder of Cado Security, toldZDNet that the attackers exploited the CVE-2019-15666 vulnerability to gain root access of the system and installed a Monero cryptocurrency miner.