Multiple supercomputers across Europe have been infected with cryptocurrency mining malware and have shut down to investigate the intrusions, according to ZDNet. Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumoured to have also happened at a high-performance computing centre located in Spain. The first report of an attack came to light last Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The organization reported “security exploitation on the ARCHER login nodes,” shut down the ARCHER system to investigate, and reset SSH passwords to prevent further intrusions.
Protecting supercomputers and data centres is no trivial task, especially when they are used for mathematical modelling and scientific work, which require a great deal of collaboration and, consequently, data flow. The scale of this mission requires leading-edge performance in computing, storage, and networking. This is true for supercomputing services such as the UK’s ARCHER, but also for all national labs and large research universities around the world . Conventional network protections is difficult in such environments, and endpoints management is equally challenging when the devices that require network access are so diverse – not just laptops and phones.
The only way such complex environments can be protected is by increasing the visibility over the network traffic, and turn to a data-driven security model that transforms such traffic into comprehensive, real-time logs. Open source tools like Zeek provide security teams with the sort of actionable data they need to monitor the security posture of institutions such as the ones breached in this attack, where the management of risk is vital to allow scientific progress.
These incidents raise the very serious concern of cybersecurity in institutes of higher education where a lot of this cutting-edge research is taking place. Universities are home to some of the most advanced research projects in the world across many disciplines- including computer science- but they are also notoriously vulnerable to attack if they are connected to the wider university network. Last year, the Higher Education Policy Institute commissioned a study to test the reliability of UK university security systems. Of 50 institutions, they had a 100% success rate in breaking into their systems within two hours to access student and employee information, institutional records, and research data.
It\’s unclear as to what these incidents relating to HPC\’s are. However, it would not be surprising to discover that criminals wanted to gain access to these supercomputers to mine cryptocurrency, or engage in other malicious activity.
The digital and connected nature of today\’s world means that every endpoint, device, network segment, infrastructure, and information is a resource that some criminal somewhere will find useful for personal gain. Therefore, all organisations of all sizes, and across all industries need to take steps to secure digital assets, and raise awareness of security amongst staff so that they can make better security risk-decisions in their day to day lives.
Supercomputers are lucrative targets for threat actors due to the sheer amount of money they can yield via mining. Regular PCs simply can’t mine digital currencies anywhere near the rate at which supercomputers can. What’s interesting about this is that it seems hackers have targeted the supercomputers completely remotely for the first time, as before there has always been an insider who installs the crypto mining malware used for the attack.
All the SSH login credentials will now need resetting, which may take a while, but this is vital to stop further attacks. Once a list of credentials is compromised, it is a race against time to have these reset. Unfortunately, the lead time is usually enough of a head start for threat actors to take advantage of the mining software.