Reports of confirmed attacks with the intention of mining cryptocurrency are coming in from multiple countries around Europe.

Supercomputers based in the UK, Switzerland and Germany have now shut down in order to investigate the infections caused by the malware and identify how the intrusions occurred.

Multiple attacks throughout Europe

Edinburgh University which operates the UK’s ARCHER supercomputer was the first victim to recognise an attack. A report from the organisation stated that security exploitation had been identified on the supercomputer’s login nodes and that the ARCHER system would be shut down for an investigation, with Secure Shell (SSH) passwords reset to prohibit any further intrusions.

The Swiss Centre of Scientific Computations based in Zurich, Switzerland also closed off all external access to its own supercomputer infrastructure until a safe environment could be restored after it reported a “cyber-incident.”

In the German state of Baden-Württemberg, an announcement was made by bwHPC, an organisation tasked with coordinating research projects in the area using several supercomputers. The organisation commented that due to “security incidents”, five of its computing clusters were required to be shut down, including the Hawk supercomputer at the University of Stuttgart.

More unauthorised intrusions throughout Germany were reported later at the Leibniz Computing Centre, the Julich Research centre, and at the Faculty of Physics at the Ludwig-Maximilians University Faculty of Physics in Munich.

Access obtained by compromised SSH logins

While details remain unpublished of the intrusions on the supercomputers across Europe, data discovered has been released that could prove enlightening for those defending against cyberattacks. The European Grid Infrastructure’s (EGI) computer Security Incident Response Team (CSIRT) has provided indicators of network compromise and malware samples revealed in some of the intrusions.

The EGI works to coordinate research conducted on supercomputers all over Europe and has disclosed its findings to cybersecurity specialists in the USA for inspection. Their findings to date indicate that the hackers managed to gain access to the computing clusters through compromised SSH credentials.

Further investigation suggests that the credentials have been harvested from universities in possession of memberships that enable them to access the supercomputers to perform computing jobs. The stolen SSH logins uncovered belonged to international universities in Poland, China and Canada.

After the attackers successfully accessed a supercomputing node, they then utilised an exploit for a common vulnerability and exposure (CVE-2019-15666) to obtain root access, they then deployed an app to mine the open-source Monero cryptocurrency. Although no official evidence exists to confirm the multiple attacks were the work of a single group, the fact that similar network indicators and file names for malware were used suggests that one threat actor may be responsible for all.

The need for downtime while security investigations are conducted on the supercomputers has had a negative impact on important work being carried out during the coronavirus pandemic. Many of the organisations hit by the malware attacks had recently announced that the computer clusters were prioritising COVID-19 outbreak research, and their combined efforts have now been delayed by the insidious intrusions.