Several high-performance computers (HPCs) and data centers used for research projects have been shut down this week across Europe due to security incidents.

About a dozen of these supercomputers are affected in Germany, U.K., and Switzerland, leaving researchers unable to continue their work. Some were compromised as early as January.

Supercomputers are extremely powerful systems built on traditional hardware to perform high-speed computations. They are used mainly for scientific work and testing mathematical models for complex physical phenomena and designs.

Multiple clusters down in Germany
On Monday, notifications started to roll out from the U.K. and Germany about supercomputers being shut down following cyber attacks.

ARCHER, UK’s National Supercomputing Service, became unavailable to researchers on May 11 due to security exploitation on its login nodes. The service remains locked to external access and fresh news will be posted tomorrow.

“Jobs that are currently running or queued will continue to run, but you will be unable to log in or to submit new jobs”

Another informs that all existing ARCHER? passwords and SSH keys will be reset. Users logging in when the service comes back online will need two credentials: an SSH key with a passphrase and a fresh ARCHER password.

The Baden-Württemberg High Performance Computing (bwHPC) project in Germany on the same day announced a security incident that made five of its clusters unavailable, with no timeframe for resuming operations:

bwUniCluster 2.0 at the Karlsruhe Institute of Technology
ForHLR II at the Karlsruhe Institute of Technology
bwForCluster JUSTUS, used for chemistry applications
bwForCluster BinAC at the University of Tübingen, used for bioinformatics and astrophysics projects
Hawk, inaugurated in February at the High-Performance Computing Center in Stuttgart
Leibniz Supercomputing Center on Thursday notified users that a security incident affected its high-performance computers, prompting the institute to isolate them from the outside world.

Also on Thursday, the Jülich Supercomputing Centre (JSC) in Germany announced that its JURECA, JUDA, and JUWELS supercomputers became unavailable due to an IT security incident.

By the end of the week, at least nine supercomputers in Germany were impacted by cyber attacks, according to SPIEGEL journalist Patrick Beuth.

A similar note was posted for the Taurus system at the Technical University in Dresden: “Due to a security issue we have temporarily closed access to Taurus.”

The bwForCluster NEMO in Freiburg, used for research in neuroscience, elementary particle physics, and microsystems engineering, has also been hacked.

Beuth reports that users received emails saying that the attacker’s way in was a stolen account with root privileges. A total of seven attacks were detected, the first one on January 9.

On Saturday, the Swiss Center of Scientific Computations (CSCS) informed its users that several high-performance computers and academic data centers can no longer be accessed due to malicious activity detected on the systems.

“We are currently investigating the illegal access to the centre. Our engineers are actively working on bringing back the systems as soon as possible to reduce the impact on our users to a minimum” – CSCS Director Thomas Schulthess

Cryptojacking intent
Details are scarce about the purpose of the attack but the European Grid Infrastructure (EGI) in an advisory yesterday published details about two cyber attacks hitting academic data centers that appear to be the work of the same actor.

In both cases, the attacker was using compromised SSH credentials to hop from one host to another to abuse CPU resources for mining Monero cryptocurrency. Some hosts are used for mining, others are proxies for connecting to the mining server.

The Computer Security Incident Response Team (CSIRT) at EGI found that in one case, the malicious mining activity is configured to run only during night hours, most likely to avoid detection.

CSIRT released technical details and indicators of compromise for the incidents they analyzed, noting that victims are located in China, the U.S., and Europe.

Malware details
Tillmann Werner, security researcher at CrowdStrike, told BleepingComputer that one component of the malware has root privileges and loads other programs. Another component is used to remove traces from log data.

The researcher also says that both components are ELF64 binaries. The loader is placed under “/etc/fonts/.fonts” and the log cleaner is under “/etc/fonts/.low.”

Apparently, there are different files that are compiled on the target system but their functionality is the same. He provides YARA? detection rules for both parts (1, 2):

rule loader { strings: $ = { 61 31 C2 8B 45 FC 48 98 } condition: all of them }
rule cleaner { strings: $ = { 14 CC FC 28 25 DE B9 } condition: all of them }
An analysis of the two malware components is available from Robert Helling and Cado Security, a cybersecurity company in the US. The firm says that the malware was uploaded to the VirusTotal scanning service from Germany, UK, Switzerland, and Spain.

Security researcher Felix von Letiner said in a blog post that colleagues of his in Poland reported that a supercomputer in Barcelona was also impacted.