This week, a number of European supercomputers discovered intrusive malware hosted on their systems. Now, in the midst of a massive supercomputing research effort to tackle COVID-19, many enlisted systems have shut down or restricted access while they investigate and remove the malware.
The attacks may have been perpetrated in order to mine cryptocurrency; investigations are ongoing.
At least three countries – Germany, Switzerland and the UK – have been affected, with another possible intrusion rumored in Spain. ZDNet aggregated the known intrusions:
- The University of Edinburgh – The first reported incident was an intrusion on the University of Edinburgh’s ARCHER supercomputer. Last Monday, the ARCHER team disabled access to ARCHER “due to a security exploitation on the ARCHER login nodes,” saying that they were “working with Cray to investigate.”
- bwHPC – Also by Monday, at least five systems were affected under the umbrella of bwHPC, which integrates supercomputing systems and projects in Baden-Württemberg, Germany. These included the Karlsruhe Institute of Technology’s bwUniCluster 2.0 and ForHLR II clusters; Tübingen University’s bwForCluster BinAC supercomputer; Ulm University’s bwForCluster JUSTUS supercomputer; and, perhaps most crucially, the newly inaugurated Hawk supercomputer at the High-Performance Computing Center Stuttgart (HLRS). All affected systems are currently down.
- Leibniz Supercomputing Centre (LRZ) – On Thursday, LRZ announced that “due to a security issue [it had] temporarily closed access from the outside world to all HPC systems,” saying that they would not make further statements while they were still investigating the breach.
- Jülich Supercomputing Centre (JSC) – Also on Thursday, JSC announced that due to a security incident, it had been forced to shut down all three of its major systems: JURECA, JUDAC and JUWELS.
- Dresden University of Technology – A final Thursday announcement came from the Dresden University of Technology, which had to shut down access to its Taurus supercomputer “due to a security issue.”
- Ludwig-Maximilians University – On Saturday, faculty member Robert Helling revealed that “a few clusters in the … basement” of the physics department at Ludwig-Maximilians University had also been affected by the malware. Helling also conducted an analysis of the malware, which can be found here.
- The Swiss National Supercomputing Centre (CSCS) – CSCS announced on Saturday that it had “been paralyzed by a cyber-incident” and had closed external access to its supercomputing infrastructure until it was restored to a safe environment.
While all of the above institutions have been predictably cagey with details as they attempt to oust the intruders, samples of the malware were released by the European Grid Infrastructure (EGI), and those samples were subsequently reviewed by cybersecurity firm Cado Security. According to Cado, access was gained through compromised credentials from users in Canada, China and Poland, and the malware from the known incidents appears to suggest that the same actor is responsible for many – if not all – of the attacks. Cado’s analysis also indicates that once the malware took hold of the machines, it began talking to a cryptocurrency pool server, possibly hijacking the supercomputers for cryptocurrency mining.
These intrusions come at perhaps the worst possible time for the supercomputing community, with nearly every supercomputer in the world devoting at least some of its resources to the urgent battle against COVID-19. ARCHER, for instance, is playing host to a pandemic modeling tool called “covid-sim,” and Hawk is devoting tens of millions of core hours to a series of COVID-19 drug discovery projects, as is Piz Daint at CSCS.
The attacks also come at the same time as a statement issued by the U.S. Federal Bureau of Investigation (FBI) and Department of Homeland Security warns of possible cyberattacks targeting COVID-19 research. “The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by [People’s Republic of China]-affiliated cyber actors and non-traditional collectors,” the FBI wrote in the statement. “These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”