Danger zone! Brit research supercomputer ARCHER's login nodes exploited in cyber-attack, admins reset passwords and SSH keys

Assault on TOP500-listed machine may have hit Euro HPC too, warn sysops

37 Reg comments Got Tips?

Updated One of Britain's most powerful academic supercomputers has fallen victim to a "security exploitation" of its login nodes, forcing the rewriting of all user passwords and SSH keys.

The intrusion, which is understood to be under investigation by GCHQ offshoot the National Cyber Security Centre (NCSC), rendered the ARCHER high-performance computing (HPC) network unavailable to its users on Tuesday.

Sysadmins warned ARCHER users that their SSH keys may have been compromised as a result of the apparent attack, advising them to "change passwords and SSH keys on any other systems which you share your ARCHER credentials with".

In a statement posted to the project's status page on Wednesday, ARCHER admins said it appeared several academic high-performance computers were disrupted across Europe in addition to the Cray-built ARCHER. They explained:

Due to a security exploitation on the ARCHER login nodes, the decision has been taken to disable access to ARCHER while further investigations take place.

Jobs that are currently running or queued will continue to run, but you will be unable to log in or to submit new jobs.

We now believe this to be a major issue across the academic community as several computers have been compromised in the UK and elsewhere in Europe. We have been working with the National Cyber Security Centre (NCSC) and Cray/HPE in order to better understand the position and plan effective remedies.

Knowledgeable sources speculated to The Register that ARCHER is an obvious resource for research work by computational biologists as well as those modelling the potential further spread of the novel coronavirus – and is therefore a target for hostile states looking to steal advances from British research into the virus, or to simply disrupt it.

American authorities are reportedly set to publicly blame China and Iran for trying to hack research institutions trying to develop a vaccine, according to an unsourced claim made in the New York Times newspaper. This appears to be linked to understated – and unspecific – warnings from NCSC earlier this month about advanced persistent threat (APT) hacker crews targeting counter-COVID-19 research.

Hosted by the University of Edinburgh, ARCHER is a Cray XC30 supercomputer with 118,080 Intel Xeon E5 CPU cores at its disposal. It was due to be retired and replaced this month, though the global pandemic has delayed its planned withdrawal. El Reg reported on ARCHER2 when it was confirmed in October 2019.

ARCHER is one of the most powerful supercomputers in the UK, although it is outclassed by the UK's most powerful publicly known super, an eight-petaFLOPS 241,920-core Cray-Intel machine operated by the Meteorological Office as well as the European Centre for Medium-Range Weather Forecasts's two Cray XC-40s, the Atomic Weapons Establishment's in-house supercomputer and others. It is ranked 334th on the TOP500 list of the world's most powerful supercomputers.

The latest updates on the ARCHER status page said: "Unfortunately, due to the severity of the situation, the ARCHER Service will not be returned before Friday 15th May. We will review the situation with UKRI and NCSC on Friday and will then provide a further update to you."

Professor Alan Woodward of the University of Surrey told The Register: "To see a Cray being attacked is very unusual so I imagine it must be the computing infrastructure around it that has been attacked. Most users obviously don't sit at a terminal directly attached to the supercomputers, so if the means for remote access is rendered inoperable it means the supercomputers become just an expensive lump of metal and silicon.

"Looks like someone has somehow managed to gain a secure shell on an access node. Assuming that's true, it's going to be a real pain as you’ll have to set everyone up again."

An NCSC spokesman told The Register: "We are aware of this incident and are providing support. The NCSC works with the academic sector to help them improve their security practices and protect its institutions from threats."

Cray, ARCHER's operators, and counter-coronavirus research teams have been asked if they wish to comment. We will update this article as and when they respond. ®

Updated to add

A University of Edinburgh spokesperson has been in touch to say:

The University of Edinburgh, through its supercomputing centre, EPCC, is currently investigating an issue relating to the UK National Supercomputing Service, ARCHER, that has required access to be temporarily suspended. On the 11th May 2020 our technology partners were notified of a potential issue that indicated some user accounts may have been misused to gain unauthorised access to the service.

Investigations by our technical teams confirmed that a small number of user accounts had been affected so the decision was taken to disable access to allow further work to confirm the extent of the issue. University teams are currently working with specialists from our technology partners and the National Cyber Security Centre to agree the recovery path and determine when access can be safely reinstated.

There is currently nothing to suggest that any research, client or personal data has been impacted by this issue and all relevant stakeholders are being updated.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020