Published 24 May 2020

Some leading educational institutions in Europe have had to shut down their supercomputers after they became infected with malware seeking to use their computing power to mine cryptocurrency. ZDNet reports incidents occurring in Germany, the UK, and Switzerland, as well as a rumoured intrusion at a Spanish computing centre.

Cryptocurrency is generally “mined” by attempting to solve complex computational puzzles, with the first miner to solve it being rewarded with an amount of cryptocurrency. With supercomputers having massively greater computing power than a typical home computer, they present an attractive target for cybercriminals, even though the malware will usually be discovered and removed relatively quickly.

While none of the targeted institutions have released specific details about the techniques used in the attack, the European Grid Infrastructure’s Computer Security Incident Response Team has released some network compromise indicators and malware samples. The cybercriminals appeared to have initially gained access using compromised Secure Shell (SSH) credentials stolen from researchers running jobs on the machine. They then applied a known exploit to gain root access before deploying the malware to mine Monero cryptocurrency. While multiple threat actors may have instigated the breach, similarities in network indicators and filenames suggest the same group was behind the attacks.

The University of Edinburgh reported the first attack, which affected its ARCHER supercomputer. The machine was promptly shut down while it investigated the incident and reset SSH login credentials. Next, the organisation that coordinates supercomputers in the Baden-Württemberg state of Germany reported that five high-performance computing clusters needed shutting down under similar circumstances. Over the week, further reports emerged about similar incidents in Barcelona, Leibniz, Julich, Dresden, Munich, and Zurich.

While misusing high-performance computers to mine cryptocurrency is not a new idea, cybersecurity specialist Jake Moore pointed to the novel nature of the attacks:

“What’s interesting about this is that it seems hackers have targeted the supercomputers completely remotely for the first time, as before there has always been an insider who installs the crypto mining malware used for the attack.”

He said that to prevent future attacks, institutions needed to undertake the time-consuming process of resetting all SSH login credentials. He added that the threat actors were likely to benefit from their actions, saying:

“Once a list of credentials is compromised, it is a race against time to have these reset. Unfortunately, the lead time is usually enough of a head start for threat actors to take advantage of the mining software.”

While this was certainly an audacious series of attacks, many less ambitious cybercriminals also often deploy cryptocurrency mining applications when they compromise more mundane systems. Such intrusions may go unnoticed for weeks or months and only become apparent when the threat actor decides to elevate it to something more damaging like a ransomware attack. At Pro-Networks, we can help prevent this by providing managed network services that will secure your organisation through the use of technologies like threat monitoring, internal vulnerability scans and firewalls, among others.

 

 

Please share this post using any of the following share buttons.

Read similar posts to this article

Hacker Explores Dangerous Territory...

Enhancing Remote Work Security: The...

Cyber Security Services