The case of European supercomputers compromised to mine cryptocurrencies: that's what happens

Over the past week, there have been several cases of compromise of supercomputers set up at European universities and research centers with the installation of malware used for cryptocurrency mining. Computing clusters have been temporarily deactivated in order to conduct checks and investigations on intrusions and restore security levels. Accidents have mostly occurred in Germany, but some cases have also been reported in the UK, Switzerland and Spain.

The first case dates back to last Monday when the University of Edinburgh, which operates the ARCHER supercomputer, reported an episode of "security breach at ARCHER login nodes". The consequence was the deactivation of the supercomputer to investigate and reset the SSH passwords to prevent the occurrence of further intrusions.

Then on the same day bwHPC, organization that coordinates research projects between supercomputers in the German land of Baden-Wrttemberg, to announce that five of its high-performance computing clusters are offline due to similar security incidents. The Hawk supercomputer set up at the Hchstleistungsrechenzentrum Stuttgart of the University of Stuttgart, the bwUniCluster 2.0 and ForHLR II clusters at the Karlsruher Institut fr Technologie, the bwForCluster JUSTUS cluster of the University of Ulm and the bwForCluster BinAC of the University of Tubinga have been deactivated.

Security researcher Felix von Leitner then published, on Wednesday, a post on his blog indicating how the supercomputer Marenostrum of Barcelona (we visited it last year, read our report: Marenostrum, in a deconsecrated chapel the supercomputer at the service of science) has been hit by a similar security problem and has been disabled accordingly.

The following day, Thursday 14 May, further cases came to light: the first on Leibniz-Rechenzentrum which notified that it had disconnected a computing cluster following a security breach, followed by the announcement of the Forschungszentrum Jlich who reported that they had disabled the JURECA, JUDAC and JUWELS supercomputers following an "IT security incident". And the same thing happened toDresden University of Technology, with the Taurus supercomputer.

Saturday also saw further cases: German scientist Robert Helling published a malware analysis that infected a computing cluster at the Physics faculty of theLudwig-Maximilian University of Munich, while the Swiss Center for Scientific Computing in Zurich disabled external access to its supercomputer infrastructure following a security incident; access will remain prohibited until a secure environment has been re-established.

They install malware on supercomputers to mine Monero

None of the realities mentioned so far have published specific intrusion details. It is the Computer Security Incident Response Team of the European Grid Infrastructure, a pan-European organization that coordinates research on supercomputers in Europe, which has released the examples of malware and network compromise indicators found in some of these incidents. The malware samples were analyzed by Cado Security, a US security company, which underlined how the attackers seem to have obtained access to the supercomputer clusters by exploiting SSH credentials stolen from University members who have legitimate access to the supercomputer computing resources. . The compromised credentials seem to belong to Canadian, Chinese and Polish universities.

There is no official evidence showing that all intrusions were carried out by the same group, but some elements of the malware and compromise indicators, as well as the purpose and temporally circumscribed occurrences suggest that behind the accidents there is the same hand. According to the analyzes, the attackers, once they have obtained access to a supercomputing node, exploit the CVE-2019-15666 vulnerability to obtain root access and to be able to install an application intended for cryptocurrency mining. Monero.

To make the incident even more unpleasant, the fact that many of the organizations mentioned previously had given priority to research activities related to the COVID-19 pandemic, which are now hampered as a consequence of the intrusions and subsequent downtime of the computing clusters.

Not the first time crypto-mining malware is installed on supercomputers, but previously it had been only legitimate employees or users of the system who installed miners for their own personal gain, as was the case of the Russian Nuclear Center in February 2018 or the Australian Bureau of Meteorology in the following month.