Supercomputers are being hacked across Europe to mine Monero (XMR) cryptocurrency or to steal Coronavirus COVID-19 research
We had reported how hackers hacked into Archer Supercomputer in the United Kingdom on 13th May. The Archer Supercomputer admins had said that the hackers were only able to exploit the SSH login nodes at that time (at the time of writing this article, Archer Supercomputer is still shut off). It seemed at that time there was much more to the hack attack than hacking nodes.
It is now confirmed that the hackers are hacking Supercomputers across Europe to mine the Monero (XMR) cryptocurrency. The hackers have already managed to hack into following Supercomputers located across the length and breadth of Europe:
- Archer supercomputer in the United Kingdom
- The Hawk supercomputer at the High-Performance Computing Center Stuttgart (HLRS) at the University of Stuttgart
- The bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
- The bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University
- The bwForCluster BinAC bioinformatics supercomputer at the Tübingen University
- Supercomputer in Barcelona, Spain
- Leibniz Computing Center (LRZ) at the Bavarian Academy of Sciences in Germany
- JURECA supercomputer in Germany
- JUDAC supercomputer in Germany
- JUWELS suprcomputer in Germany
- High-performance computing cluster at Ludwig-Maximilians University in Munich, Germany.
The breadth of the attack is mind-blowing. All the above supercomputers were hacked using a SSH vulnerability in login nodes.
Supercomputers hacked by exploiting compromised SSH logins
From the pattern of the hacking attacks, it seems that hackers are either exploiting compromised SSH logins or using a backdoor. SSH logins are often sold on sites like MagBo and offer web shell exploits to buyers for webservers. Cado Security researchers stripped the malware and found that the hackers gained access to the supercomputer clusters via compromised SSH credentials. The Cado researchers stated that the credentials appear to have been stolen from university members given access to the supercomputers to run computing jobs and seem to the handiwork of the same hacker group. However, this has not been confirmed by Cado security.
Chris Doman, Co-Founder of Cado Security says that once attackers gained access to the login node, they appear to have exploited CVE-2019-15666 vulnerability to gain root access and then deployed a malware that mined the Monero (XMR) cryptocurrency.
In the security researcher Felix von Leitner’s blog post, he claims people with knowledge of the Julich supercomputer confirmed that “A backdoor was identified on several of our HPC systems.”
Almost all of the above supercomputers were prioritizing research work on Coronavirus COVID-19 drug and vaccine research. Therefore it is quite possible that a state-sponsored hacking group is responsible for these hacking attacks on supercomputers. The hackers maybe after the COVID-19 data stored on the supercomputers as President Trump suggested yesterday.
Another possibility is that hackers could have exploited the recently discovered SALT framework vulnerability. This too has not been confirmed independently.