Hackers Targeted Supercomputers Across Europe for Cryptocurrency Mining

Server room

Several supercomputers across Europe have been shut down after security breaches occurred. Incidents occurred in Germany, the UK, and Switzerland over the past week. Another attack on a computer center in Spain might have been related as well. The supercomputers had been infected with cryptocurrency mining software and had to shut down for investigations.

Universities Under Attack

Interestingly, the attacks were all reported by universities. The first report of an attack came from the University of Edinburgh. The organization, that runs the ARCHER supercomputer, reported “security exploitation on the ARCHER login nodes”. They decided to shut down the system and reset their passwords to prevent any more intrusions.

Later that day more reports came in from institutions in Germany. Five supercomputers in the state of Baden-Württemburg had to be shut down due to similar issues. Universities in Stuttgart, Karlsruhe, Ulm, and Tübingen were amongst the targeted institutions.

On Wednesday reports came in from Barcelona, who were struggling with security issues as well. More incidents in Germany came to light on Thursday. The Bavarian Academy of Sciences suffered a security breach and had to disconnect a computer cluster from the internet. The Julich Research Center and the Technical University in Dresden reported the same problems.

Last Saturday two more reports surfaced, one from a University in Munich, Germany and one from the Swiss Center of Scientific Computations in Zurich, Switzerland. Again, similar issues were reported and supercomputers had to be shut down until they could guarantee a safe environment.

Crypto Mining

The hackers attacked the supercomputers with the intention of mining cryptocurrency. All of the supercomputers had been infected with cryptocurrency mining software. But what does that actually mean?

Mining Cryptocurrency is a method that is used to validate transactions that have been made over a blockchain network. It is meant to ensure that the same crypto token isn’t spent twice. Blockchain is the digital ledger where all transactions involving a virtual currency are stored. It protects transaction data through encryption and stores this data in a decentralized manner all over the world.

So, cryptocurrency miners are people with high powered computers who try to solve complex math equations before someone else does. These equations are derived from the encryption that protects the transaction data. The person who solves the equation first verifies a transaction in the blockchain ledger and gets a block reward. This reward is then paid out in virtual coins. This process is called ‘proof of work’.

Another well known verification process is ‘proof of stake’. This basically comes down to the idea that the more cryptocurrency you own, the more chance you have of getting to verify transactions. The proof of stake model chooses who gets to verify the next block of transactions based on their ownership in a virtual currency. And with this process you don’t get paid in virtual coins, but you earn the transaction fees of the block of transactions that you verify.

So potentially, there is a lot of money to be made. Especially when you gain access to so many high powered computers.

Access Via SSH Logins

Cado Security, a cybersecurity firm, reviewed Malware samples from the attacks. The company stated that the attackers appear to have stolen university members’ SSH credentials. SSH stands for Secure Shell; it’s a secure way of remotely logging into a site’s server. The hackers were logging in with logins from universities in Canada, China and Poland.

Chris Doman, Co-founder of Cado Security, explained that “once attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero (XMR) cryptocurrency.”

Doman also stated that there is no official evidence that proves the breaches were caused by the same people. But the malware that was found had very similar file names and network indicators in each case. So it does suggest that the same people were behind the attacks.

Covid-19 Research

Many of the institutions that were hit by the hackers last week had previously announced that they were focusing on Covid-19 research. It is very likely that the research was hindered by the attack, since computers were disconnected from the internet for some time. Not all computers are back up at this point in time.

This is not the first time that Covid-19 research centers have been targeted. Last week we reported that the US accused China of targeting Covid-19 research organizations. The WHO and UK healthcare organizations have also been targeted by cyberattacks.

Cybersecurity analyst
David is a cyber security analyst and one of the founders of VPNoverview.com. Interested in the "digital identity" phenomenon, with special attention to the right to privacy and protection of personal data.