A fleet of supercomputers belonging to various academic institutions across European countries like the United Kingdom, Germany, Switzerland, and Spain have recently fallen prey to hackers. These security breaches were remotely conducted by hackers with the objective to mine the blockchain-based digital asset, cryptocurrency.
The attacks had compromised not just one or two, but around 11 supercomputers. The hackers had made the use of stolen SSH (Secure Socket Shell) credentials to get into the systems. After getting in, they released the malware into the systems that would help them to mine the crypto and before any defense actions could have been implemented, it was already too late.
The following questions can help develop a better understanding of this security incident:
Why supercomputers only?
Supercomputers became the prime target because the process of mining is computer-intensive. In simple words, a more powerful machine or hardware elevates the probability for a hacker to gain more crypto rewards. This is the reason why the attacks had specifically targeted the supercomputers.
What kind of data got stolen?
The supercomputers were in use by the universities for the purpose of carrying out the research on COVID-19. The pandemic research data was not the target of hackers. They stole the SSH keys and credentials.
Who could have possibly be responsible?
No official or formal statement has been released as to who was behind such attacks or who planned them, but it has been speculated that it can be an act of a single group because of the following observations:
- Similar Targets: The target of these attacks was similar i.e. academic institutions of European countries.
- Similar Malware: The malware samples and signatures were very similar in all the attacks that were observed.
- Period: All the attacks were carried out in the period of 1 week that makes the theory of a ‘single group behind such hacks’ stronger.
What is being done now?
In the U.K, the national supercomputing organization i.e. ARCHER that has been providing supercomputing services to the academic institutions in the country is now investigating the incidence and has made an announcement that it would render the access to the relevant computers non-functional after the misuse of the login nodes by the attackers.
ARCHER will also be re-writing the new SSH keys as well as the passwords for all the systems so that the previous credentials become invalid for any further use. The center has also revealed that after returning back to the service, it will make it mandatory for the users to provide two credentials to successfully login into the systems.
In Switzerland, the Swiss National Super Computing is also battling against cybersecurity threats. After identifying the malicious signatures, the body has closed the external access to the network.
To ensure that these attack patterns do not repeat themselves in the future, universities and research centers should make sure not to store sensitive credentials information of other institutions in their systems. Without such precaution, it could give an opportunity to hackers to easily hop and exploit other systems in a short amount of time. IT teams should also install the latest security patches and updates and InfoSec experts should develop a better knowledge of this new type of cybersecurity attack vector.