A British supercomputer hacked last week was among a group of big beasts targeted around the world to mine cryptocurrency, it has emerged.
The European Grid Infrastructure (EGI) team reported this week that, in addition to the hijacked user accounts on the ARCHER cluster at the University of Edinburgh, Scotland, supercomputers in China, Europe, and North America were also broken into by miscreants bent on crafting Monero coins using whatever compute resources they could find.
The EGI also noted there were two waves of attacks on high-performance systems, one for mining coins and other for some as-yet unknown purpose, saying the separate intrusions "may or may not be correlated."
According to the supercomputing body's summary of events, hackers used stolen SSH credentials to access the supercomputers, then assigned nodes various roles: some mined the cryptocurrency, others acted as mining proxies, and Tor and SSH tunneling hosts.
The logins may have been stolen by replacing SSH executables with backdoored programs that siphoned off the credentials.
"The attackers use different techniques to hide the malicious activity, including a malicious Linux kernel module," the EGI security team noted in its advisory. "It is not fully understood how SSH credentials are stolen, although some (but not all) victims have discovered compromised SSH binaries.
"At least in one case, the malicious XMR activity is configured (CRON) to operate only during night times to avoid detection."
Egghead dragged over coals for mining Bitcoin on uni supercomputerREAD MORE
Cado Security bods, meanwhile, dug into the cryptomining malware installed on the systems, and noted something interesting: it appears much of the malicious code was compiled on the infected machines – a sign of a slightly more sophisticated attacker in that a generic x86-64 binary was not deployed, and instead one built and potentially optimized for each infected super was used instead.
"Normally when investigating crypto-jacking attacks against servers, you will see the same piece of malware uploaded from a number of victims," the team noted. The pile of evidence linking the two separate sets of supercomputer intrusions has led the Cado eggheads to believe it was all the same operation.
We're told the criminals were logging into the machines from compromised networks at the University of Krakow, Poland; the Shanghai Jiaotong University, China; and the China Science and Technology Network. The fact that boffins give each other access to their supercomputers, to further scientific research, helps explain why the miscreants were able to move between supers and networks seemingly so easily.
In addition, computers at the University of Freiburg, Germany; the University of Toronto, Canada; the University of California, Los Angeles, USA; and Stony Brook University, New York, USA are suspected to have been compromised and roped into the operation.
This wouldn't be the first time a supercomputing beast has been hijacked to generate digital currency.
Back in 2014, a Harvard student was caught using a 14,000-core cluster at the uni to mine Dogecoin, and in 2018 two Russian scientists were collared after they crafted alt-coins on a supercomputer at one of the nation's nuclear weapons facilities. ®