A number of high-performance “supercomputers” that operate in various capacities across Europe have been compromised over the past week after being infected with cryptocurrency mining malware, according to a new report from ZDNet. Many of the computers have been shut down in order to investigate the infections.
The timing of the shutdowns is particularly bad because of the fact that many of the organizations running the computers were prioritizing research on COVID-19. This research has now most likely been hampered as a result of the malware and the subsequent shutdowns.
The malware may be coming from the same perpetrator
So far, the malware has been reported in the UK, Germany, and Switzerland; a fourth infection seems to have targeted a high-performance computing center located in Spain.
While none of the affected organizations released any specific details about the nature of the attacks, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), which coordinates research on supercomputers across Europe, has released samples of the malware and “network compromise indicators.”
So far, there isn’t any evidence that all of the attacks have been carried out by a single perpetrator or group of perpetrators.
How to Trade In a Volatile MarketGo to article >>
However, according to US-based security firm Cado Security, these samples and indicators seemed to suggest that there may be a connection between the attacks: similar malware file names, as well as other indicators, seem to suggest that the malware may be coming from the same source.
Cado also told ZDNet that the malware seems to have found its way onto the computers through stolen SSH login credentials that were taken from university members with access to the machines. The compromised SSH logins belonged to universities in Canada, China, and Poland.
Attacks in Spain, Germany, and Scotland
The first attack, which was reported last Monday, targeted a machine at the University of Edinburgh in Scotland–specifically, the ARCHER supercomputer.
“Due to a security exploitation on the ARCHER login nodes, the decision has been taken to disable access to ARCHER while further investigations take place,” a report from the institution said on May 8th. The computer’s SSH passwords have also been reset.
The second mining malware infection, which was reported by wHPC (an organization that coordinates research projects across supercomputers in the state of Baden-Württemberg) also came last Monday.
Four supercomputers within the German state–one each at the University of Stuttgart, the Karlsruhe Institute of Technology, Ulm University, and Tübingen University–have been shut down for investigations.
Then, on Wednesday, researcher Felix von Leitner wrote in a blog post that another Spanish supercomputer–this one in Barcelona–had been shut down as the result of a security issue.