Over the past week, supercomputers across Europe have been reportedly hacked by an unidentified group. The attacker has been allegedly inserting cryptocurrency mining software into these supercomputers. Multiple supercomputers in the UK, Germany, Switzerland, and later in Spain were targeted, and as a result, most of these computers were taken offline.
In a report released by ZDNet, Archer, a supercomputer at the University of Edinburgh, was the first system targeted by the attacker. The system is currently being used to execute analysis of the COVID-19 before it was sent offline. According to the organization, the security of the logic nodes of ARCHER was recently exploited, and it decided to shut down the system to conduct further investigation.
Additionally, it also reset the system's SSH password to avoid further intrusions by attackers. A similar incident also happened in the state of Baden-Württemberg in Germany, where the bwHPC was attacked. The bwHPC coordinates research projects of the supercomputers of the state. The report says that the team has to shut down five of its high-performance supercomputers.
In Spain, Felix von Leitner, a security researcher, shared on a blog post that a supercomputer located in Barcelona has been affected by a security problem. Several similar incidents surfaced on May 14, 2020, including the first case in Leibniz Computing Center. The institute, which is under the Bavarian Academy of Sciences, claimed that it had disconnected a computing cluster from the internet after a security breach.
On Friday, the Julich Research Center in Julich, Germany, also reported a similar incident. According to its officials, they had to shutdown supercomputers following a security incident. Among supercomputers that were shutdown include JUWELS, JURECA, and JUDAC. The Taurus supercomputer of the Technical University in Dresden was also shut down following a similar issue.
In Zurich, Switzerland, the Swiss Center of Scientific Computations also shut down reported a cyber incident. It decided to shut down the external access to the infrastructure of its supercomputer. The organization said that it would remain shut until it could restore a safe environment.
In a recent report, Cado Security Co-Founder Chris Doman said that there is no official evidence to assert that the same group executed all of the recent attacks. However, pieces of evidence like network indicators and similar malware files note that it originated from the same threat factor.
Based on Doma's analysis, attackers used an exploit dubbed as the CVE-2019-15666 as soon as they access the supercomputer node. The exploit allows the attackers to achieve root access and then release an app that mines the Moreno (XMR) cryptocurrency.
