Hackers have compromised multiple supercomputers across Europe to deploy cryptocurrency mining malware, with incidents reported in the UK, Switzerland, and Germany. There are also rumors circulating of another possible attack against the high-performance computing centre located in Spain.
Most of the attacks appear to have targeted universities, with University of Edinburgh, which runs ARCHER supercomputer being the first that reported an intrusion last Monday. Later in the week reports emerged about similar security incidents affecting five of bwHPC' computer clusters, and a cluster at Munich's Ludwig-Maximilian University.
According to cyber security firm Cado Security, the attacks were carried out using compromised SSH credentials from universities in Canada, China, and Poland. The attacks were using the same malware and exploited the same vulnerability suggesting that the cryptomining operation may be the work of the same threat actor. In case of ARCHER, the attacks appear to have been launched from Chinese IP address.
"Once the attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero (XRM) cryptocurrency", the researchers explained.