Supercomputers across Europe appear to have been targeted by cryptocurrency miners over the past few days, forcing offline key IT resources working on COVID-19 research.
One of the first to report problems was the University of Edinburgh’s Archer supercomputer, which was taken offline last Monday after “a security exploitation on the Archer login nodes.”
Working with the National Cyber Security Centre (NCSC), the institution has been forced to rewrite all existing passwords and SSH keys. It is still down at the time of writing.
The Computer Security Incident Response Team (CSIRT) at the European Grid Infrastructure (EGI) organization revealed two potentially related security incidents in an analysis on Friday. In both, a malicious actor was blamed for targeting academic data centers for CPU mining.
“The attacker is hopping from one victim to another using compromised SSH credentials,” it explained.
The attackers were logging in from three compromised networks, at the University of Krakow in Poland, Shanghai Jiaotong University and the China Science and Technology Network. It has been claimed that some credentials are shared between academic institutions, making it easier for would-be attackers.
It’s also claimed that the attackers are exploiting CVE-2019-15666 for privilege escalation before deploying a Monero cryptocurrency miner.
Other institutions affected by the campaign include the Swiss Center of Scientific Computations (CSCS), the bwHPC, which runs supercomputers across the German region of Baden-Württemberg, the University of Stuttgart’s HPE Hawk machine, the Leibniz Computing Center (LRZ) and an unnamed facility in Barcelona.
“What’s interesting about this is that it seems hackers have targeted the supercomputers completely remotely for the first time, as before there has always been an insider who installs the crypto-mining malware used for the attack,” argued ESET cybersecurity specialist, Jake Moore.
“All the SSH login credentials will now need resetting, which may take a while, but this is vital to stop further attacks. Once a list of credentials is compromised, it is a race against time to have these reset. Unfortunately, the lead time is usually enough of a head start for threat actors to take advantage of the mining software.”