It became known that several supercomputers from different countries of the European region this week were infected with malware for mining cryptocurrencies. Incidents of this kind have occurred in the UK, Germany, Switzerland and Spain.
The first report of the attack came on Monday from the University of Edinburgh, which hosts the ARCHER supercomputer. The corresponding message and recommendation to change user passwords and SSH keys were published on the website of the institution.
On the same day, the organization BwHPC, which coordinates research projects on supercomputers, announced the need to suspend access to five computing clusters in Germany to investigate "security incidents".
Reports of this nature continued on Wednesday, when information security researcher Felix von Leitner wrote on his blog that access to a supercomputer located in Barcelona, ββββSpain, was closed while the cybersecurity incident was being investigated.
The next day, similar messages came from the Leibniz Computing Center, an institute at the Bavarian Academy of Sciences, as well as from the JΓΌlich Research Center, located in the German city of the same name. Officials said that after the "incident with information security" access to supercomputers JURECA, JUDAC and JUWELS is closed. In addition, the Swiss Center for Scientific Computing in Zurich also closed external access to the infrastructure of its computing clusters after an information security incident "until the secure environment is restored."
None of the organizations mentioned have released any details regarding the incidents. However, the Information Security Incident Response Team (CSIRT), which coordinates supercomputing research across Europe, has released malware samples and additional data on some incidents.
Malware samples were reviewed by specialists from the American company Cado Security, working in the field of information security. According to experts, attackers gained access to supercomputers through compromised user data and SSH keys. It is also assumed that the credentials were stolen from employees of universities in Canada, China and Poland, who had access to computing clusters to conduct various research.
While there is no official evidence that all attacks were carried out by a single group of hackers, similar malware file names and online identifiers indicate that a series of attacks were carried out by a single group. Cado Security believes that attackers used an exploit for the CVE-2019-15666 vulnerability to access supercomputers, and then deployed Monero (XMR) cryptocurrency mining software.
It is worth noting that many of the organizations that were forced to close access to supercomputers this week previously announced that they were prioritizing research on the coronavirus infection COVID-19.
Source: 3dnews.ru