In 2018, one of the leading cybercriminal trends was the so-called cryptojacking. This cybercriminal technique involves installing malware on victims’ computers and using their processing power to mine cryptocurrencies. That year, detections of this cyberattack grew 4,000% and, in the UK, as many as 59% of companies were affected by this kind of cyberincident.

However, today, cryptojacking seems to have almost completely disappeared, or at least has lost a lot of steam, since Coinhive, one of the most popular services for cryptojacking, closed down. Cybercriminals have had to turn to other techniques to make money since then. Until recently, that is.

European supercomputers hacked

In mid-May 2020, multiple supercomputers in European institutions were infected with cryptojacking malware. Due to these incidents, the organizations where these supercomputers are located have been forced to stop their research in order to investigate the intrusions.

In addition to incidents in the UK, Germany, and Switzerland, there are suspicions that a supercomputer in Barcelona was affected by this malware as well. The first incident was discovered at the University of Edinburgh on May 11, when the supercomputer ARCHER was infected. The university reported a “security exploitation on the ARCHER login nodes” and closed down the system to investigate and to reset the passwords to prevent further incidents.

The same day, bhHPC, the organization that coordinates research projects across supercomputers in Baden-Würtemburg in Germany, announced that it had had to shut down five of its computer clusters due to similar security incidents.

News of security incidents continued to arrive on Wednesday of that same week, when, in a blog post, the security researcher Felix von Leitner claimed that a supercomputer in Barcelona had been infected. In the days that followed, news of further infections arrived from Bavaria, Munich, Dresden, and Zürich.

How could these supercomputers be hacked?

Though none of the affected institutions published any details of the intrusions, the CSIRT from the European Grid Infrastructure published samples of the malware and collected network compromise indicators from the incidents.

The investigations that have been carried out suggest that the attackers were most likely able to get onto the supercomputers using compromised Secure Shell (SSH) credentials. The hackers appear to have stolen the credentials from university researchers who had been given access to these supercomputers to run projects. The compromised credentials were from universities in Canada, China, and Poland.

Once inside the computers, the attackers used an existing exploit for the vulnerability CVE2019-15666 to obtain root access. They used this access to deploy an application to mine the Monero cryptocurrency. Many of these supercomputers were conducting research into COVID-19 when these incidents occurred.

Even supercomputers need advanced cybersecurity

These incidents are further proof that cybersecurity is a key element in today’s world: not even the most advanced supercomputers are safe from cybercriminals. We can draw two conclusions from these cyberattacks:

  • Password hygiene is essential for protecting systems. If you use a weak password, your organization may be exposed to all kinds of cyberincidents. In fact, in 2019, 30% of ransomware infections were made possible by a weak password.
  • Vulnerabilities must be patched as soon as possible to avoid intrusions. Vulnerabilities have caused a veritable litany of incidents throughout the history of cybersecurity, many of which could have been stopped simply by applying a patch in time.

Cyberincidents are global and affect all of us, from the most powerful supercomputers and multinational corporations to SMEs and individual users. Stay up to date with all of the latest cybersecurity news with Panda Security.