Supercomputers across Europe compromised by hackers

Thought to have gained access access through compromised SSH credentials

Multiple supercomputers across Europe have been hit by cyber attacks since the start of the month, and many of them are still unavailable to users.

High-performance computers (HPCs) and data centres in Germany, UK and Switzerland have been affected by recent security incidents, but there is currently no information about the hacking group(s) responsible for the attacks.

The UK's National Supercomputing Service ARCHER, which has been unavailable to researchers since 11^th May, told its users last week that they would not be able to log in or submit new jobs on its platform, although jobs that had already been queued would continue to run.

ARCHER also told users that they would not be able to use existing SSH keys and passwords on the platform.

"When ARCHER returns to service, all users will be required to use two credentials to access the service: an SSH key with a passphrase and their ARCHER password. It is imperative that you do not reuse a previously used password or SSH key with a passphrase," ARCHER stated on its website.

The Baden-Württemberg High Performance Computing (bwHPC) service, which coordinates research projects across various supercomputers in Germany, also announced last week that a security incident had made five of its clusters unavailable to users. The clusters affected in the incident are:

ForHLR II
bwUniCluster 2.0
Hawk
bwForCluster BinAC
bwForCluster JUSTUS

The Jülich Supercomputing Centre (JSC) in Germany confirmed an IT security incident last week which led to shut down of its JUDA, JURECA, and JUWELS supercomputers.

SPIEGEL journalist Patrick Beuth said on Twitter that at least nine supercomputers in Germany have suffered cyber attacks recently, and six of them are currently offline.

https://twitter.com/PatrickBeuth/status/1261018276789997572?ref\\_src=twsrc%5Etfw

Attackers had root privileges in at least one case, Beuth claimed.

Some other supercomputing services in Europe that have reported security incidents include Leibniz Supercomputing Centre, Taurus system at the Technical University in Dresden, The bwForCluster NEMO in Freiburg, and the Swiss Centre of Scientific Computations.

While none of the organisations disclosed technical details about the attacks, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure has published malware samples and indicators of compromise from two incidents.

CSIRT noted that the attackers likely gained access to supercomputer clusters through compromised SSH credentials to mine the Monero cryptocurrency.

The victims in these incidents were based in the US, Europe and China, according to CSIRT, and in once case the malicious mining activity was configured to run only during night hours to avoid detection.