In the wake of attacks and cyber-security issues, several institutions and research facilities in the UK, Switzerland, Germany, and Spain have had their supercomputers hacked by hackers with the aim of mining the Monero (XMR) cryptocurrency. The Universities affected include:
- The University of Edinburgh, the first to report a breach, which operates the ARCHER supercomputer. As a result, the organization shut down the ARCHER system to investigate and also reset SSH passwords; to prevent further attacks after it’s nodes were compromised.
- The high-performing computer at the Faculty of Physics, Ludwig-Maximilian University in Munich, Germany. After which Robert Helling (German scientist) issued an analysis of the threat.
Institutions and research facilities were not left out of the attacks.
- The bwPHC, in the state of Baden-Württemberg, Germany, was hit badly by the intrusion as five computers of their computers located at the University of Stuttgart, Karlsruhe Institute of Technology (KIT), Ulm University, and Tübingen University respectively were all shut down).
- The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland, as well as a supercomputer in Barcelona, Spain, were also caught up with the infection.
Thursday gave rise to two new reports: one from the Leibniz Computing Center (an institute under the Bavarian Academy of Sciences and the second was from the Julich Research Center in the town of Julich, Germany. The JURECA, JUDAS, and JEWELS (all supercomputers in Julich) were all shut down due to the “IT breach.”
Compromised SSH LOGINS gave attackers access.
The Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers across Europe, was called in to investigate the breaches. They released samples of malware (gotten from infected institutions) as well as some indicators of a network compromise. They had the samples reviewed by Cado Security, which is a UK-based cyber-security system.
From reviewed samples, the diagnosis shows that the attacks on the computers were a result of compromised SSH credentials; which are suspected to be stolen from members of the university in China, Poland, and Canada. With the stolen credentials, the attackers can access the computer’s node, gain root access through the exploit of CVE-2019-15666; and also deploy the application that mines the Monero (XMR) cryptocurrency.
The co-founder of Cado Security said that ” while there is no official evidence to confirm that all the intrusions have been carried out by the same group evidence like similar malware file names and network indicators suggests this might be the same threat actor.”
Sadly, this intrusion has impeded the research on COVID-19 being done by the affected universities.
These “incidents” are not new stories; (though this was carried out by hackers) as more like this have been reported in the past. Although in 2018, arrests were made in Russia and investigations carried out in Australia; as employees were suspected of using the system to mine cryptocurrency.