Cryptomining hacks aren’t new by any stretch, but a string of recent incidents is raising eyebrows. ZDNet reports that culprits infected multiple European supercomputers with Monero mining malware in the past week, including the University of Edinburgh’s ARCHER, five of bwHPC’s computer clusters and most recently a cluster at Munich’s Ludwig-Maximilians University. That’s unusual by itself, but there appears to be a common thread between the hacks.
Cado Security has determined that the attacks were conducted using compromised SSH (secure shell) logins from universities in Canada, China and Poland, using similar malware file names, the same vulnerability and shared technical indicators. That suggests they might be the work of the same bad actor. In the case of ARCHER, the attacks appear to have come from Chinese IP addresses.
If this is a concerted attack, the motivations aren’t completely clear. This could be a pure cash grab that relies on the power of supercomputers to mine digital currency more effectively than regular PCs. However, Cado and others have observed that this comes right as many institutions are repurposing their supercomputers for COVID-19 research. There’s a concern that this may be a roundabout way to steal research or disrupt it. Whatever the reasoning, this isn’t what supercomputer operators wanted at a time when their services are needed the most.