Supercomputers shut down after cryptomalware attacks

Numerous security attacks were reported in the UK, Germany, and Switzerland, and even Spain

ARCHER supercomputer at the University of Edinburgh

Various European supercomputers were shut down to give way to investigations after they were infected by cryptocurrency mining malware last week. A ZDNet report said the malware aims to mine Monero virtual currency (XMR).

The first attack was reported on Monday, 11 May, from the University of Edinburgh with its ARCHER supercomputer. The ARCHER system was shut down to investigate "security exploitation on the ARCHER login nodes" while its SSH passwords were reset to avoid further infringements.

Also, bwHPC announced that five of its high-performance computing clusters were shut down due to the same security breach. The bwHPC is an organization that manages research projects across supercomputers in Baden-Württemberg, Germany.

 Clusters affected by the security breach include the Hawk supercomputer at the University of Stuttgart's High-Performance Computing Center Stuttgart (HLRS), the bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT), the bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University, and the bwForCluster BinAC bioinformatics supercomputer at the Tuebingen University.

In a blog post, security researcher Felix von Leitner claimed on Wednesday, 13 May, that a supercomputer in Barcelona, Spain was also shut down because of a security breach.

Reports of a security breach from Germany continued on Thursday, 14 May, Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences in München, said it disconnected a computing cluster from the internet following a security breach.

It was followed by another announcement from Julich Research Center, which shut down its JURECA, JUDAC, and JUWELS supercomputers because of an "IT security incident." Meanwhile, the Technical University in Dresden also shut down its Taurus supercomputer.

A high-performance computing cluster at the Ludwig-Maximilians University Faculty of Physics in Munich, Germany was also infected, based on an analysis published on Saturday, May 16, by German scientist Robert Helling.

Meanwhile, a cyber-attack also prompted the Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland to shut down its supercomputer infrastructure's external access "until having restored a safe environment."

Cado Security discovered that these attacks utilised a compromised SSH (secure shell) logins from universities in Canada, China, and Poland, using similar malware file names, vulnerability, and shared technical indicators. This implies the attacks were performed by the same culprit. The attacks to ARCHER appear to have come from Chinese IP addresses.

The reasons for the attacks on supercomputers are still unclear. These could purely aim to mine digital currency, which is more effective than on regular PCs.

Cado Security co-founder Chris Doman told ZDNet that once attackers gained access to a supercomputer, they would employ an exploit for the CVE-2019-15666 vulnerability to have root access then used an application that mined the Monero (XMR) cryptocurrency.

Meanwhile, there are also concerns that these attacks target the researches, either to steal or disrupt them since these supercomputers were prioritizing studies on the coronavirus. With these incidents, these much-needed researches are most likely to be delayed.

Whatever the reasons may be, these call for stricter security measures to avoid any future breach.

Similar articles