University supercomputers shut down over cryptocurrency mining malware

News by Andrew McCorkell

Leading educational facilities among those whose supercomputers were infected - in the UK, Switzerland Germany and one suspected in Spain - according to reports.

Several supercomputers across Europe have had to be shut down after they were infected with cryptocurrency mining malware.

The security attacks were confirmed in the UK, Germany, and Switzerland, according to ZDNet, with an intrusion suspected at a high-performance computing centre in Spain. 

Jake Moore, a cybersecurity specialist at ESET said that supercomputers are lucrative targets for threat actors due to the” sheer amount of money" they can yield via mining.

Personal computers simply cannot mine digital currencies at anywhere near the rate at which supercomputers can.

Moore said: “What’s interesting about this is that it seems hackers have targeted the supercomputers completely remotely for the first time, as before there has always been an insider who installs the crypto mining malware used for the attack."

He added that all the SSH login credentials will now need resetting, which may take a while, but that this is vital to stop further attacks.

“Once a list of credentials is compromised, it is a race against time to have these reset, " Moore warned.

"Unfortunately, the lead time is usually enough of a head start for threat actors to take advantage of the mining software.”

The first incident was reported on 11 May on the ARCHER supercomputer at the University of Edinburgh.

The university said there had been a "security exploitation on the ARCHER login nodes".

It shut down the ARCHER system to investigate and reset SSH passwords to prevent further intrusions. 

The research organisation that coordinates across supercomputers in Baden-Württemberg, Germany, the bwHPC, said five of its high-performance computing clusters were shut down because of similar security incidents.

They included the Hawk supercomputer at the University of Stuttgart’s High-Performance Computing Center Stuttgart (HLRS), bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT). 

Also hit were the bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University and the bwForCluster BinAC bioinformatics supercomputer at the Tübingen University.

More incidents were reported at a supercomputer in Barcelona, the Leibniz Computing Center (LRZ), and the high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany.

A cyber incident also proceeded a shut down at the Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland.

Most of the machines are used mainly for scientific work and testing mathematical models for complex physical phenomena and designs.
 Doctor Anton Grashion, VP EMEA at Corelight said: "Protecting supercomputers and data centres is no trivial task, especially when they are used for mathematical modelling and scientific work, which require a great deal of collaboration and, consequently, data flow.

"The scale of this mission requires leading-edge performance in computing, storage, and networking. This is true for supercomputing services such as the UK’s ARCHER, but also for all national labs and large research universities around the world.

"Conventional network protections is difficult in such environments, and endpoints management is equally challenging when the devices that require network access are so diverse - not just laptops and phones."
Grashion said that the only way such complex environments can be protected is by increasing the visibility over the network traffic, and turn to a data-driven security model that transforms such traffic into comprehensive, real-time logs.

He added: "Open source tools like Zeek provide security teams with the sort of actionable data they need to monitor the security posture of institutions such as the ones breached in this attack, where the management of risk is vital to allow scientific progress." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews