Supercomputers across Europe have been hacked over the last week by an unknown group that has been inserting cryptocurrency mining software.
At least a dozen supercomputers in Germany, the U.K., Switzerland and Spain were targeted, with many being taken offline as a result of the hacks. The first system targeted is believed to be “Archer,” a supercomputer at the University of Edinburgh that was being used to perform analysis of coronavirus research before being taken offline.
Those behind that attacks were gaining access to the targeted supercomputers by stealing login credentials from compromised networks at universities in China and Poland. According to Cado Security, it is reportedly common for users at different high-performance computing facilities to have logins for other institutions, making it easy for attackers to gain access.
In two of the security incidents, the group behind the attacks connected to the supercomputers using a compromised SSH account and then exploited a vulnerability in the Linux kernel to gain root access and install Monero or XMR cryptomining software. The cryptomining software had been set up to run only at night in attempt to avoid being discovered.
A notification from the Swiss Center of Scientific Computations in Zurich was more vague, referring to only malicious activity that resulted in external access to the center being closed until security issues were fixed.
The true motivation behind the attacks remains unknown. Although profit from the installation of the Monero mining script would appear the most obvious answer, most of the systems targeted were involved in COVID-19 research and analysis. Access to that research could be the motivation with a nation state actor behind the attacks.
If the COVID-19 research on the targeted systems was simply a coincidence, then it was certainly an unfortunate one, since the attacks disrupted ongoing research into the pandemic.