Multiple reports of compromised high-performance computer systems across Europe surfaced in the past week, and clues may indicate a single actor behind the breaches.
Supercomputer systems are energy-hungry high-performance number crunchers that are used for everything from weather pattern modelling to simulating protein folding. That same raw calculation power can be used for mining cryptocurrencies, and cases have happened in the past where employees have been busted running unauthorized mining operations on HPCs.
Reports out of Europe last week suggests that for the first time hackers have successfully breached multiple HPCs and clusters to run a mining application. Last Monday, the ARCHER supercomputer at the University of Edinburgh was was shut down while a security exploitation was investigated. The same day, in Baden-Württemberg, Germany, the bwHPC organization shut down five of its HPC clusters due to similar incidents.
Furthermore, later last week similar incidents was reported in Germany, in Barcelona, and also in Zurich. None of the organizations managing the systems gave detailed accounts of the breaches, but the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI) provided malware samples and network compromise indicators from the multiple incidents.
According to an analysis by Cado Security, the attackers gained access to the clusters through compromised SSH credentials, which had belonged to Universities in Canada, Poland, and China. Once the attackers gained access to the nodes, they exploited a vulnerability (CVE-2019-15666) providing root access, and proceeded to run an application to mine Monero cryptocurrency.
Cado's Chris Doman told ZDNet that there was some evidence to suggest the same attacker behind the cluster of cases, pointing to similar malware file names and network indicators. However, there is no official evidence as of yet.
Whether running the mining operation was the ultimate motivating factor in these incidents, or just an opportunistic side attack, remains to be seen. It is notable that these supercomputers, along with many others in the world, were being repurposed to work on aspects of the COVID-19 pandemic. Such research could have been the ultimate target of a widepsread breach.
Reports out of Europe last week suggests that for the first time hackers have successfully breached multiple HPCs and clusters to run a mining application. Last Monday, the ARCHER supercomputer at the University of Edinburgh was was shut down while a security exploitation was investigated. The same day, in Baden-Württemberg, Germany, the bwHPC organization shut down five of its HPC clusters due to similar incidents.
Furthermore, later last week similar incidents was reported in Germany, in Barcelona, and also in Zurich. None of the organizations managing the systems gave detailed accounts of the breaches, but the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI) provided malware samples and network compromise indicators from the multiple incidents.
According to an analysis by Cado Security, the attackers gained access to the clusters through compromised SSH credentials, which had belonged to Universities in Canada, Poland, and China. Once the attackers gained access to the nodes, they exploited a vulnerability (CVE-2019-15666) providing root access, and proceeded to run an application to mine Monero cryptocurrency.
Cado's Chris Doman told ZDNet that there was some evidence to suggest the same attacker behind the cluster of cases, pointing to similar malware file names and network indicators. However, there is no official evidence as of yet.
Whether running the mining operation was the ultimate motivating factor in these incidents, or just an opportunistic side attack, remains to be seen. It is notable that these supercomputers, along with many others in the world, were being repurposed to work on aspects of the COVID-19 pandemic. Such research could have been the ultimate target of a widepsread breach.
