European supercomputers hacked for cryptocurrency mining

In at least four countries UK, Germany, Spain, and Switzerland

In recent years, we have repeatedly heard that hackers infect users' computers and smartphones in one way or another in order to use these devices for cryptocurrency mining.

European supercomputers hacked for cryptocurrency mining

However, recent data indicate that business is not limited to consumer devices. As it turned out, several European supercomputers located in the UK, Germany, and Switzerland were infected with malware that uses Monero cryptocurrency mining systems. There is also evidence of a similar incident in Spain. Sources specify that the attacks were carried out using compromised SSH system logins.

Many supercomputers across Europe were infected this week with cryptocurrency mining malware and were closed for intrusion investigations.

The Security incidents have been reported in the UK, Germany, and Switzerland, although it is rumored that such an invasion also occurred in a high-performance computing center located in Spain.

The first attack message came out on Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The organization reported “using security on ARCHER entry nodes”, closed the ARCHER system for investigation, and reset SSH passwords to prevent further intrusions.

BwHPC, an organization that coordinates research projects on supercomputers in Baden-Württemberg, Germany, also announced Monday that five of its high-performance computing clusters should be closed due to similar "security incidents." This included:

  • The High-Performance Computing Center(Hawk supercomputer) of Stuttgart (HLRS) at the University of Stuttgart
  • BwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
  • BwForCluster JUSTUS supercomputer for chemistry and quantum science at Ulm University
  • BwForCluster BinAC Bioinformatics Supercomputer at the University of Tübingen

The Messages was reported on Wednesday when security researcher Felix von Leitner stated on his blog that a supercomputer located in Barcelona, ​​Spain, was also affected by a security issue and, as a result, it was shut down.

The next day, Thursday, more events surfaced. The first came from the Leibniz Computing Center (LRZ) of the Bavarian Academy of Sciences, which stated that it had disconnected the computing cluster from the Internet due to security violations.

LRZ's announcement later that day was followed by another from the Julich Research Center in Julich, Germany. Officials said they had to shut down JURECA, JUDAC, and JUWELS supercomputers after the "information security incident." Just like the Technical University in Dresden, which announced that it also had to shut down its Taurus supercomputer.

New incidents also became known today, Saturday. Robert Helling(a German scientistpublished an analysis of malware that infected a high-performance computing cluster at the physics department of Ludwig-Maximilian University in Munich, Germany.

The Swiss Center for Scientific Computing (CSCS) in Zurich, Switzerland, also closed external access to its supercomputer infrastructure after the “cyber incident” and “before the restoration of a safe environment.”

The company said the attackers seem to have gained access to supercomputer clusters through compromised SSH credentials.

None of the above organizations have published any details about the incursions. However, earlier today, the Computer Security Incident Response Team (CSIRT) for European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers across Europe, released malware samples and network compromise indicators for some of these incidents.

Sample malware was reviewed earlier today by Cado Security, an American cybersecurity company. The company said the attackers seem to have gained access to supercomputer clusters through compromised SSH credentials.

It seems that credentials were stolen from university members who were granted access to supercomputers to perform computational tasks. The captured SSH logins belonged to universities in Canada, China, and Poland.

The co-founder of Cado Security Chris Doman told ZDNet that although there is no official evidence to confirm that all the intrusions were carried out by the same group, evidence such as similar malware file names and network indicators indicate that it may be the same thing.

According to Doman’s analysis, when attackers gained access to a supercomputer host, they seemed to use the CVE-2019-15666 exploit for root access, and then deployed an application that was mining Monero (XMR) cryptocurrency.

To make matters worse, many of the organizations whose supercomputers failed this week announced in previous weeks that they prioritize research on the COVID-19 outbreak, which is currently more likely to be hampered by the intrusion and subsequent downtime.


These incidents are not the first time that crypto-mining malware is installed on a supercomputer. However, this is the first time that hackers have done this. In previous cases, as a rule, an employee installed a cryptocurrency miner for his own benefit.

For example, in February 2018, Russian authorities arrested engineers from the Russian Nuclear Center for using the agency’s supercomputer to mine cryptocurrency.

A month later, Australian officials began investigating a similar case at the Bureau of Meteorology, where employees used the agency's supercomputer to mine cryptocurrency.

1 comment:

  1. One must know what a Bitcoin wallet is and how to use it. It is simply the Bitcoin equivalent of a bank account. It allows you to receive Bitcoins, store them and send them to others. What it does is store a collection of Bitcoin privacy keys. Typically it is encrypted with a password or otherwise protected from unauthorized access. Read more here


Like a Reply

Powered by Blogger.