Criminals abuse European supercomputers for crypto mining
Several supercomputers in Europe have been shut down after security incidents. Software was found to mine cryptocurrency monero. The criminals gained access through hijacked ssh logins.
Last week, security incidents occurred at supercomputers in Germany, the UK and Switzerland, and presumably also in Spain. Last Monday, a research institute in the German state of Baden-Württemberg announced that five of its clusters were suffering from security incidents.
On Thursday, the Leibniz Computing Center reported shutting down a computing cluster from the Internet after a security breach, followed on Friday by three supercomputers from Germany’s Jülich Research Center and the Taurus supercomputer from the Technical University of Dresden. On Saturday, a supercomputer of the Ludwig-Maximilians University in Munich was also found to have been hit.
In Switzerland, remote access to a Swiss Center of Scientific Computations supercomputer has been shut down after a cyber incident and in the UK, the University of Edinburgh has shut down its Archer supercomputer after abusing logins. According to security researcher Felix von Leitner, a supercomputer in Barcelona was also affected. ZDNet lists all incidents.
Linkage between the incidents has not yet been proven, but the Computer Security Incident Response Team for the European Grid Infrastructure reports on two incidents, claiming that a criminal group is targeting academic data centers to mine cryptocurrency and is jumping from one victim to another via stolen ssh credentials.
The response team found software to mine the cryptocurrency monero in its investigation and reported that it was logged in through the networks of the Polish University of Krakow, Shanghai Jiao Tong University and the China Science and Technology Network. The grouping uses several techniques to mask the activity, including a Linux rootkit and log cleaners. Also, in some cases they only run the miner at night. According to the team, the group is also targeting agencies in China and North America.
Cado Security has published an initial brief analysis of the incidents, and an employee of the Leibniz Supercomputing Center has parsed some of the files used by the criminals.
Archer, of Advanced Research Computing High End Resource, from the University of Edinburgh