[German]Several high-performance computers in Europe were attacked by cyber criminals and have since been taken down (means offline from the internet). It is not yet entirely clear what the target of the attack was. Addendum: It seems, the attackers mined crypto currency.
Advertising
Super Computer offline
It is about computer centres in Europe where high-performance computers (supercomputers) are used for research. There, for example, simulations are run for the search for drugs against Covid-19. German IT site heise reported here that various European high-performance computing centres have stopped access to their computing capacities in the last few days with the reference to "security problems".
- Leibniz Supercomputing Center (LSC) in Garching writes on it's status page on May 14, 2020: We can confirm a security incident that has affected our high-performance computers. To be on the safe side, we have therefore sealed off the affected machines from the outside world. The users and the responsible authorities have been informed. We will keep you informed about further details, but ask for your understanding that we will not make any statements while we are still investigating the situation. We are also in close contact with our partners at the Gauss Supercomputing Centre and the Gauss Alliance, and with our European partners at PRACE.
- The Hawk high-performance computer at the Stuttgart High Performance Computing Centre (HLRS) is 'shut down due to a security incident', according to a status report dated May 10, 2020.
- The status page of computer centre in Jülich reports 'due to an IT security incident, the system is currently unavailable'.
No details are given by the computing centres – but it seems that other European supercomputers are affected. heise mentions computing centres in Scotland, which state that several computers in the UK and elsewhere in Europe have been compromised. Users of the high-performance computers bwUniCluster 2.0 and ForHLR II at the Karlsruhe Institute of Technology (KIT) were informed by the operator via e-mail about a "serious security incident". The systems had been compromised by attacks via stolen user account data. According to the current state of knowledge, a quick resolution of the problem is unlikely.
In Fefes German blog Felix von Leitner has collected some voices from the community of affected researchers. A source from Jülich is cited there with the information 'A backdoor was identified on several of our HPC systems.
Speculation about the purpose of the hack
There is speculation that China is engaged in espionage and wants to obtain data for research into Covid-19 therapies. SPON reports here however, that the attacks began months ago via a hijacked account, but remained undiscovered for a long time. According to this SPON article, six supercomputers in Germany have been compromised. The Süddeutsche Zeitung quotes Dieter Kranzlmüller, head of the Leibniz computer centre in Garching near Munich. Kranzlmüller says, 'that the close networking of the supercomputers made it possible for the hackers to penetrate other computer centres'. This means that many computing centres with these high-performance computers (Cray) are affected.
The damage the hackers have caused seems currently unclear. Kranzlmüller is quoted that "it is not apparent from the so-called log files, which record activities on the computers, that large amounts of data have flowed off". And further: "The machines continue to work, but are cut off from the outside world." The reason: the operators have cut off the connection to the outside world, i.e. the researchers can no longer access the computers, the projects have come to a standstill. The operators are therefore puzzling what the attackers intended to do with the implemented backdoor. The captured data is useless to the hackers, since only the researchers know its meaning from the simulation models. And the researchers publish the results as soon as they are available.
Advertising
It's about crypto mining
Addendum: After the article was published here, Catalin Cimpanu took up the topic (see following tweet).
Supercomputers hacked across Europe to mine cryptocurrency
– Confirmed intrusions at supercomputers in the UK, Germany, Switzerland
– Unconfirmed intrusion at a supercomputer in Spainhttps://t.co/C5IvEZopgw pic.twitter.com/AEkahV0Lti— Catalin Cimpanu (@campuscodi) May 16, 2020
Saturday morning the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers in Europe, released malware samples and network compromise indicators from some of these incidents.
The malware samples were reviewed by Cado Security, a US-based cyber security company. The company states that the attackers apparently used compromised SSH credentials to gain access to the supercomputer clusters. The credentials appear to have been stolen by members of universities in Canada, China and Poland. They had access to the supercomputers in order to carry out computing tasks.
Chris Doman, co-founder of Cado Security, told ZDNet that although there is no official evidence that all the break-ins were carried out by the same group, the company's security team is still investigating. However, similar malware file names and network indicators suggest that it could be the same attacker.
According to Doman's analysis, once they gained access to a supercomputer node, the attackers appear to have used the vulnerability CVE-2019-15666 in Linux kernel to gain root access and then deployed an application that mining the crypto currency Monero (XMR).
