Hackers break into academic high-performance computing clusters in Edinburgh, Germany and Switzerland to install Monero currency-mining software
Supercomputers across Europe have been compromised in a string of cyber-attacks over the past week, with the attackers apparently aiming to make profits from the mining of cryptocurrency.
At least a dozen organisations in the UK, Germany and Switzerland have reported compromises that forced them to disable their systems.
Many of the supercomputers had been running Covid-19 research as a priority, with the shutdowns causing disruption to that research.
The University of Edinburgh reported on Monday 11 May that its Archer system had been shut down to investigate “security exploitation on the Archer login nodes”.
The university said it had reset users’ SSH passwords to head off further attacks. Researchers said attackers apparently used stolen SSH passwords to carry out the intrusions.
University of Edinburgh staff said they “now believe this to be a major issue across the academic community as several computers have been compromised in the UK and elsewhere in Europe”.
The university said it was working with the UK’s National Cyber Security Centre to restore the Archer system.
“We are aware of this incident and are providing support,” the NCSC said.
“The NCSC works with the academic sector to help it improve its security practices and protect its institutions from threats.”
Another five systems were also shut down in Germany on 11 May due to similar “security incidents”, with the German state of Baden-Württemberg saying clusters at the University of Stuttgart, the Karlsruhe Institute of Technology (KIT), Ulm University and Tübingen University had been affected.
Later in the week researchers and institutes reported similar incidents affecting a cluster in Barcelona, one at the Leibniz Computing Center (LRZ) in Bavaria, and several systems at the Jülich Research Center in Jülich, Germany.
Systems in Dresden and Munich in Germany and the Swiss Centre of Scientific Computations (CSCS) in Zürich also reported similar incidents.
The pan-European Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI) released malware samples and indicators of compromise.
“A malicious group is currently targeting academic data centres for CPU mining purposes,” the EGI said in an advisory.
“The attacker is hopping from one victim to another using compromised SSH credentials.”
UK-based Cado Security said the attacks were carried out using compromised credentials that had been provided to universities in Canada, China and Poland.
The attacks appeared to have been carried out by the same group and had exploited the CVE-2019-15666 vulnerability to install mining software for the Monero cryptocurrency, Cado said.