Numerous high-performance data centers are online after attacks. Evidence points to crypto mining.
After the attacks on various high-performance data centers of research institutions, there is speculation about the background. While British media reports suspect a possible connection with current research on Covid-19 vaccines, the security team of the European Grid Infrastructure (EGI) foundation reports on attacks that abuse the research infrastructure for mining cryptocurrency. Dieter Kranzlmüller from the Leibniz Computing Center of the Bavarian Academy of Sciences (LRZ) considers this explanation too simple.
Data centers shut down
It was announced on Thursday that several high-performance data centers had deactivated their access in the past few days, with reference to “security problems”, including the Leibniz Supercomputing Center in Garching, the high-performance computer Hawk at the Stuttgart High-Performance Computing Center (HLRS) and Jureca in Jülich. At the LRZ in Garching, a team of seven investigators from the State Criminal Police Office is now investigating. According to information from heise online, the entire network of the Partnership for Advanced Computing in Europe (PRACE) is affected.
The EGI Computer Security and Incident Response Team (EGI-CSIRT) reports attacks in which servers are primarily misused for mining. Software for mining the cryptocurrency Monero has been found on various compromised computers. To blur their traces, the attackers would have used the kernel rootkit diamorphine and accessed it via the TOR network.
Captured SSH logins
The starting point for the attacks was therefore access to university computers in China, Canada and Poland. From there, the attackers worked their way through various servers in the science network. With captured SSH logins, they were then configured for different roles: as XMR miners, proxy hosts, socks proxies or SSH tunnels. The compromised keys and passwords may also have targeted the high-performance computers currently under attack.
Kranzlmüller believes it is possible that the attacks observed by EGI-CSIRT may well be related to the attack on the supercomputing centers. The shuffling across the science networks could have been the way to the supercomputers, says the head of the LRZ in an interview with heise online. He thinks it’s unlikely that it’s just cryptomining.
The nature of the attack points to professionals who are interested in more than mining. At the current time, however, the exact mode operandi and the motifs are still unclear. “I get a new message every two hours from one of the centers concerned, with whom we work closely in the process,” says Kranzlmüller. Overall, he knows of a double-digit number of high-performance data centers affected.
Numerous facilities affected
The entire PRACE network is affected. This includes a total of 26 high computing centers in the European Union and beyond. In addition to Stuttgart and Jülich, which told heise online that the systems had been removed from the network, at least half a dozen other data centers are affected in Germany. According to Kranzlmüller, university data centers are also affected.
Kranzlmüller said that there had already been speculation in the circle of data centers about a possible connection between the large-scale attack and current research on the corona virus. On the other hand, there is evidence that the first traces of the attackers can be traced back to before the time of the corona crisis. The model simulations that are now used to identify drug and vaccine candidates are long-term projects – “and difficult to use for a possible attacker,” estimates Kranzlmüller.
The ongoing forensic work in Garching and elsewhere is now slowing down science. “That’s what hurts me as a scientist,” said Kranzlmüller. In Garching, however, attempts are being made to continue long-term jobs. Only external access, i.e. the collection of results from the ongoing simulation, is currently not possible.