European Supercomputers Hacked to Secretly Mine Cryptocurrency

Supercomputers across Europe have been targeted in a series of cyberattacks, with the powerful machines being secretly used to mine cryptocurrency. Reports of such incidents have come from the United Kingdom, Germany, and Switzerland, and, according to unconfirmed sources, a high-performance computing center in Spain was also affected by a similar attack.

Timeline of the Attacks

The first report of an attack came last week from the University of Edinburgh, home to the ARCHER supercomputer. As previously reported, the administration was forced to suspend ARCHER’s operations and reset SSH passwords to prevent further attacks.

Soon after, the German organization BwHPC, which coordinates research projects on supercomputers in Germany, announced that five of its high-performance computing clusters would be temporarily unavailable due to similar issues. The affected systems included:

• The Hawk supercomputer at the High-Performance Computing Center Stuttgart, University of Stuttgart
• The bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology
• The bwForCluster JUSTUS supercomputer at the University of Ulm, used by chemists and quantum informaticians
• The bwForCluster BinAC supercomputer at the University of Tübingen, used by bioinformaticians

Following these incidents, cybersecurity researcher Felix von Leitner reported on his blog that a supercomputer in Spain was also attacked, resulting in its temporary shutdown.

On Thursday, more reports of breaches emerged. The Leibniz Computing Center, under the Bavarian Academy of Sciences, announced a breach that led to the shutdown of its computing cluster. The same day, the Jülich Research Center in Germany reported a compromise, stating that access to the JURECA, JUDAC, and JUWELS supercomputers had to be closed. The Technical University of Dresden also announced it was forced to suspend operations of its Taurus supercomputer.

Over the previous weekend, the Swiss National Supercomputing Centre (CSCS) in Zurich was also forced to close external access to its supercomputing infrastructure due to an attack.

Investigation and Findings

Interestingly, none of the affected organizations initially released many details about the incidents. Only recently has the situation become clearer: experts from CSIRT, the European organization coordinating supercomputing research, published malware samples and indicators of compromise related to some of the incidents.

Additionally, over the weekend, German expert Robert Helling published an analysis of the malware that infected a high-performance computing cluster at the Faculty of Physics at Ludwig Maximilian University of Munich.

The malware samples released by specialists have already been analyzed by Cado Security. The company reports that the attackers appear to have gained access to the supercomputing clusters using compromised SSH credentials—a fact previously hinted at by the ARCHER administration. It seems the credentials were stolen from university staff who had access to the supercomputers for research purposes. The stolen SSH credentials belonged to universities in Canada, China, and Poland.

While there is no definitive proof that all the attacks were carried out by the same hacker group, similar malware file names and network indicators suggest that the same individuals may be behind all the incidents.

Cado Security researchers believe that after gaining access to a supercomputer node, the hackers exploited the CVE-2019-15666 vulnerability, which allowed them to obtain root access and deploy a Monero (XMR) cryptocurrency miner on the infected supercomputer.

Possible Motives

It is also worth noting another interesting fact: many of the organizations whose supercomputers were attacked had previously announced that they were prioritizing research related to COVID-19. As a result, there is a theory that the hackers may have intended to steal the results of this research or simply sabotage it.