A series of supercomputers across Europe have been hacked by an unknown group.
Last week, an unidentified group of attackers infiltrated several European supercomputers and installed cryptocurrency mining software.
More than a dozen systems in the United Kingdom, Germany, Spain and Switzerland were targeted. As a result, many of those machines were taken offline and shut down to contain the intrusion.
On Monday, the German organization bwHPC posted a notice stating that five of its supercomputers had been compromised by cryptomining malware:
“Dear users, due to an IT security incident, the state HPC systems bwUniCluster 2.0, ForHLR II, bwForCluster JUSTUS, bwForCluster BinAC and Hawk are currently unavailable. Our experts are already working on assessing the issue.”
Investigators believe the first system targeted was “Archer,” a supercomputer hosted at the University of Edinburgh that had been used to support COVID-19 research.
The attackers gained access to the affected machines by using credentials harvested from networks that had already been compromised in China and Poland.
Cado Security, a firm that provides digital forensics and incident response software, noted that researchers often have accounts on multiple high-performance computing facilities. That common practice can make it easier for attackers to move laterally and misuse valid credentials to access additional institutions.
In at least two incidents, the group accessed supercomputers via compromised SSH accounts. They then exploited a vulnerability in the Linux kernel to escalate privileges to root and install Monero (XMR) mining software.
To avoid detection, the attackers scheduled the mining processes to run only at night.
The exact motive for the campaign remains unclear. Financial gain from running Monero mining scripts is the most obvious explanation, but it is notable that many of the affected systems were involved in coronavirus research and analysis. Some observers suggest that this pattern could indicate a desire to access sensitive research data, potentially pointing to a state-aligned actor organizing the attacks.