{"id":14459,"date":"2020-05-16T04:03:24","date_gmt":"2020-05-16T02:03:24","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=14459"},"modified":"2022-01-03T22:55:21","modified_gmt":"2022-01-03T21:55:21","slug":"hochleistungsrechner-in-europa-nach-angriff-abgeschaltet","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/05\/16\/hochleistungsrechner-in-europa-nach-angriff-abgeschaltet\/","title":{"rendered":"Many super Computers in Europe down after hack"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/05\/16\/hochleistungsrechner-in-europa-nach-angriff-abgeschaltet\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Several high-performance computers in Europe were attacked by cyber criminals and have since been taken down (means offline from the internet). It is not yet entirely clear what the target of the attack was. <strong>Addendum:<\/strong> It seems, the attackers mined crypto currency.<\/p>\n<p><!--more--><\/p>\n<h2>Super Computer offline<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg04.met.vgwort.de\/na\/c17631bf511b4c8f82e5367537dcfb2a\" alt=\"\" width=\"1\" height=\"1\" \/><\/h2>\n<p>It is about computer centres in Europe where high-performance computers (supercomputers) are used for research. There, for example, simulations are run for the search for drugs against Covid-19. German IT site heise <a href=\"https:\/\/www.heise.de\/security\/meldung\/Mehrere-Hochleistungsrechenzentren-in-Europa-angegriffen-4721393.html\" target=\"_blank\" rel=\"noopener noreferrer\">reported here<\/a> that various European high-performance computing centres have stopped access to their computing capacities in the last few days with the reference to \"security problems\".<\/p>\n<ul>\n<li>Leibniz Supercomputing Center (LSC) in Garching writes on it's <a href=\"https:\/\/web.archive.org\/web\/20200620135633\/https:\/\/www.lrz.de\/aktuell\/ali00856.html\" target=\"_blank\" rel=\"noopener noreferrer\">status page<\/a> on May 14, 2020: We can confirm a security incident that has affected our high-performance computers. To be on the safe side, we have therefore sealed off the affected machines from the outside world. The users and the responsible authorities have been informed. We will keep you informed about further details, but ask for your understanding that we will not make any statements while we are still investigating the situation. We are also in close contact with our partners at the Gauss Supercomputing Centre and the Gauss Alliance, and with our European partners at PRACE.<\/li>\n<li>The Hawk high-performance computer at the Stuttgart High Performance Computing Centre (HLRS) is 'shut down due to a security incident', according to a <a href=\"https:\/\/websrv.hlrs.de\/cgi-bin\/hwwweather\" target=\"_blank\" rel=\"noopener noreferrer\">status report<\/a> dated May 10, 2020.<\/li>\n<li>The <a href=\"https:\/\/web.archive.org\/web\/20211117174448\/https:\/\/dispatch.fz-juelich.de:8812\/HIGHMESSAGES\" target=\"_blank\" rel=\"noopener noreferrer\">status p<\/a>age of computer centre in J\u00fclich reports 'due to an IT security incident, the system is currently unavailable'.<\/li>\n<\/ul>\n<p>No details are given by the computing centres &#8211; but it seems that other European supercomputers are affected. heise mentions computing centres in Scotland, which state that several computers in the UK and elsewhere in Europe have been compromised. Users of the high-performance computers bwUniCluster 2.0 and ForHLR II at the Karlsruhe Institute of Technology (KIT) were informed by the operator via e-mail about a \"serious security incident\". The systems had been compromised by attacks via stolen user account data. According to the current state of knowledge, a quick resolution of the problem is unlikely.<\/p>\n<p>In Fefes German blog Felix von Leitner has <a href=\"https:\/\/blog.fefe.de\/?ts=a04505b4\" target=\"_blank\" rel=\"noopener noreferrer\">collected<\/a> some voices from the community of affected researchers. A source from J\u00fclich is cited there with the information 'A backdoor was identified on several of our HPC systems.<\/p>\n<h2>Speculation about the purpose of the hack<\/h2>\n<p>There is speculation that China is engaged in espionage and wants to obtain data for research into Covid-19 therapies. SPON <a href=\"https:\/\/www.spiegel.de\/netzwelt\/web\/hacker-angriff-mehrere-supercomputer-in-europa-kompromittiert-a-e7abe6d3-14f5-462a-8db8-3ac3293fe502\" target=\"_blank\" rel=\"noopener noreferrer\">reports here<\/a> however, that the attacks began months ago via a hijacked account, but remained undiscovered for a long time. According to this <a href=\"https:\/\/www.spiegel.de\/netzwelt\/web\/hacker-angriff-mehrere-supercomputer-in-europa-kompromittiert-a-e7abe6d3-14f5-462a-8db8-3ac3293fe502\" target=\"_blank\" rel=\"noopener noreferrer\">SPON article<\/a>, six supercomputers in Germany have been compromised. The <a href=\"https:\/\/www.sueddeutsche.de\/digital\/supercomputer-hacker-garching-corona-1.4909397\" target=\"_blank\" rel=\"noopener noreferrer\">S\u00fcddeutsche Zeitung<\/a> quotes Dieter Kranzlm\u00fcller, head of the Leibniz computer centre in Garching near Munich. Kranzlm\u00fcller says, 'that the close networking of the supercomputers made it possible for the hackers to penetrate other computer centres'. This means that many computing centres with these high-performance computers (Cray) are affected.<\/p>\n<p>The damage the hackers have caused seems currently unclear. Kranzlm\u00fcller is quoted that \"it is not apparent from the so-called log files, which record activities on the computers, that large amounts of data have flowed off\". And further: \"The machines continue to work, but are cut off from the outside world.\" The reason: the operators have cut off the connection to the outside world, i.e. the researchers can no longer access the computers, the projects have come to a standstill. The operators are therefore puzzling what the attackers intended to do with the implemented backdoor. The captured data is useless to the hackers, since only the researchers know its meaning from the simulation models. And the researchers publish the results as soon as they are available.<\/p>\n<h2>It's about crypto mining<\/h2>\n<p><strong>Addendum: <\/strong>After the article was published here, Catalin Cimpanu took up the topic (see following tweet).<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Supercomputers hacked across Europe to mine cryptocurrency<\/p>\n<p>&#8211; Confirmed intrusions at supercomputers in the UK, Germany, Switzerland<br \/>\n&#8211; Unconfirmed intrusion at a supercomputer in Spain<a href=\"https:\/\/t.co\/C5IvEZopgw\">https:\/\/t.co\/C5IvEZopgw<\/a> <a href=\"https:\/\/t.co\/AEkahV0Lti\">pic.twitter.com\/AEkahV0Lti<\/a><\/p>\n<p>\u2014 Catalin Cimpanu (@campuscodi) <a href=\"https:\/\/twitter.com\/campuscodi\/status\/1261743783751888897?ref_src=twsrc%5Etfw\">May 16, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Saturday morning the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers in Europe, <a href=\"https:\/\/csirt.egi.eu\/academic-data-centers-abused-for-crypto-currency-mining\/\" target=\"_blank\" rel=\"noopener noreferrer\">released malware samples and network compromise indicators<\/a> from some of these incidents.<\/p>\n<p>The malware samples were reviewed by Cado Security, a US-based cyber security company. The <a href=\"https:\/\/web.archive.org\/web\/20201103073746\/https:\/\/www.cadosecurity.com\/2020\/05\/16\/1318\/\" target=\"_blank\" rel=\"noopener noreferrer\">company states<\/a> that the attackers apparently used compromised SSH credentials to gain access to the supercomputer clusters.\u00a0The credentials appear to have been stolen by members of universities in Canada, China and Poland. They had access to the supercomputers in order to carry out computing tasks.<\/p>\n<p>Chris Doman, co-founder of Cado Security, told ZDNet that although there is no official evidence that all the break-ins were carried out by the same group, the company's security team is still investigating. However, similar malware file names and network indicators suggest that it could be the same attacker.<\/p>\n<p>According to Doman's analysis, once they gained access to a supercomputer node, the attackers appear to have used the vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-15666\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2019-15666<\/a> in Linux kernel to gain root access and then deployed an application that mining the crypto currency Monero (XMR).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Several high-performance computers in Europe were attacked by cyber criminals and have since been taken down (means offline from the internet). It is not yet entirely clear what the target of the attack was. Addendum: It seems, the attackers mined &hellip; <a href=\"https:\/\/borncity.com\/win\/2020\/05\/16\/hochleistungsrechner-in-europa-nach-angriff-abgeschaltet\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[2446,447,69,2447],"class_list":["post-14459","post","type-post","status-publish","format-standard","hentry","category-security","tag-backdoor","tag-hack","tag-security","tag-super-computer"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/14459","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=14459"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/14459\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=14459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=14459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=14459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}