Supercomputers in Europe Targeted by Cryptocurrency Miners
Supercomputers across Europe have recently fallen victim to targeted attacks by cryptocurrency miners, resulting in key IT resources being taken offline, including those working on critical COVID-19 research.
University of Edinburgh’s Archer Supercomputer
One of the first reported incidents occurred at the University of Edinburgh, where the Archer supercomputer was compromised and taken offline due to a security exploitation on the login nodes. The institution has been working closely with the National Cyber Security Centre (NCSC) to address the issue, with all existing passwords and SSH keys being rewritten. As of now, the Archer supercomputer remains offline.
European Grid Infrastructure (EGI) Analysis
The Computer Security Incident Response Team (CSIRT) at the European Grid Infrastructure (EGI) has identified two potentially related security incidents targeting academic data centers for CPU mining. According to their analysis, a malicious actor has been using compromised SSH credentials to hop from one victim to another. The attacker has been logging in from three compromised networks, including institutions in Poland, China, and Shanghai.
It is believed that the attackers are exploiting a known vulnerability (CVE-2019-15666) for privilege escalation before deploying a Monero cryptocurrency miner on the compromised supercomputers. Other institutions affected by these attacks include the Swiss Center of Scientific Computations (CSCS), bwHPC in Germany, the University of Stuttgart’s HPE Hawk machine, the Leibniz Computing Center (LRZ), and a facility in Barcelona.
Expert Insights
According to cybersecurity specialist Jake Moore from ESET, this targeted campaign is unique in that the hackers have managed to compromise the supercomputers remotely, without the need for an insider to install the mining malware. Resetting all SSH login credentials is crucial to prevent further attacks, but it may take some time to complete. Moore emphasizes the importance of acting swiftly to reset compromised credentials to prevent threat actors from taking advantage of the mining software.