Cyber attack in Europe: Supercomputers hijacked over cryptocurrency mining

June 3, 2020
european supercomputers hijacked cryptocurrency malware ransomware antimalware trojan

A large number of Supercomputers owned by a European supercomputing firm was just taken over by hackers a few days ago. These supercomputers, located in different countries all over Europe, was commissioned by different government agencies and healthcare organizations in cooperation with the National Cyber Security Centre in UK for Covid-19 research and development.

According to staff members from those locations, they have just recently installed several applications and modelling tools for the pandemic.

One of the first reports of the incursion occurred around the 2nd week of May, where the alleged hackers exposed a security exploit and ultimately disabled access to the Archer Supercomputer, one of the supercomputer facilities at the University of Edinburgh. As soon as the intrusion was detected, all SSH account passwords were disabled and reset in order to counteract any possible attack.

Similar hacking and security incidents have been reported in several locations across the UK, Germany, and Switzerland, to name a few. A related incident was also reported at a high-security facility in Spain.

In Germany, around the state of Baden-Württemberg, the bwHPC (High Performance Computing Center) announced that five (5) of its high-performance computing machine groups were forced to shutdown after a similar intrusion was detected.


According to the supercomputing center, other attacks included:

  1. The Hawk supercomputer at the HPC Center in the University of Stuttgart (HLRS)
  2. The bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
  3. The bwForCluster JUSTUS supercomputer at the Ulm University
  4. The bwForCluster BinAC bioinformatics supercomputer at the Tübingen University


More similar and related hacking incidents and intrusions have been reported over the next couple of days following the attack on Archer. The LRZ (Leibniz Computing Center), from the Bavarian Academy of Sciences shutdown several clusters of their computing facilities after a security breach the other day.

Even the JURECA, JUWELS, and JUDAC Supercomputers in Germany were shut down due to a yet unidentified security incident. A university facility in Dresden was also disconnected immediately, following an unknown security breach. Cyber security researchers and network experts have been conducting their analysis on the malware infection that occurred on an HPC facility at the Ludwig-Maximillians University in Munich.

Elsewhere, in Switzerland, The CSCS (Swiss Center of Scientific Computations) in Zurich took down all external access to its supercomputing facility due to an unknown security breach. They are making sure that the facility remains closed until experts have determined and restored a safe operating environment.

The Computer Security Incident Response Team (CSIRT) analyzed and released samples of the malware and several network compromise data collected from some of the incidents. Since none of the abovementioned organizations provided any details regarding their facilities’ security breaches, the European Grid Infrastructure (EGI) team from CSIRT are deep diving into the samples to get a clue on what might’ve transpired on those simultaneous intrusions.

A cyber security firm in the UK said that it is possible that the attacks were coordinated by one group only. And that they have managed to coordinate and gain access to those supercomputing facilities via compromised SSH access credentials. They may have stolen these credentials to university employees and members from all across the globe and used them to further their strategy and carry out their attack.

The fact that the samples and several network data indicators look the same, is quite substantial to prove that the series of attacks were carried out by the same hackers or group. Further analysis by the researchers shows that once the hackers gain access to the supercomputers node, they immediately make use of the CVE-2019-15666 loophole to acquire root access and automatically initiate the crypto mining application to mine Monero Cryptocurrency (XMR).

The affected organizations will continue their investigation and will be patching every possible entry to their systems. These incidents are quite alarming, and security experts can’t help but think that crypto mining is such a small task to use these supercomputing facilities. There might be something more sinister and huge-scale being planned on the background, but then again, no one knows for sure.

About the author

Leave a Reply