On May 11, ARCHER, a supercomputing service hosted by the University of Edinburgh and used by science and medical researchers across the UK and around the world, was hit by an attack that has kept the service offline for the better part of five days. The incident is one of several intrusions that have affected high-performance computing centers across Europe in recent days, some of which share some key characteristics.
ARCHER is a service run on a Cray XC30 supercomputer and it supports resource-intensive research projects in a number of different fields, including biomedical, physics, bioscience, and climate. The service allows external connections from users in remote locations and supports research from both academic and industrial researchers.
On Monday afternoon, the ARCHER team posted a status message saying that the service had been taken offline because of a “security exploitation”. There were no more details about the nature of the incident, and the service remained unavailable for the next two days as the team continued to investigate what had happened. By Wednesday, the team was advising users to change their passwords and the SSH keys associated with their accounts, an indication that perhaps the intrusion was the result of compromised credentials.
More ominously, the ARCHER team indicated that their incident was likely part of a larger rash of intrusions at high performance computing labs.
“We now believe this to be a major issue across the academic community as several computers have been compromised in the UK and elsewhere in Europe. We have been working with the National Cyber Security Centre (NCSC) and Cray/HPE in order to better understand the position and plan effective remedies,” the ARCHER status message from Wednesday said.
Among the other high performance computing sites that have been affected by similar attacks are several in Germany and one in Switzerland, according to a report by Der Spiegel, the German magazine. Most of the affected sites have status messages telling users that the service is unavailable for the time being because of a security incident. The Leibniz Supercomputing Center, one of the top 10 largest supercomputing sites in the world, is among the installations affected.
“We can confirm a security incident that affects our high-performance computers. For safety's sake, we have therefore isolated the affected machines from the outside world. The users and the responsible authorities have been informed,” the status message for the Leibniz Supercomputing Center says.
Other sites that are unavailable at the moment include the Hawk service at the Stuttgart High Performance Computing Center, Taurus at the Technical University of Dresden, and three separate services at the Jülich Supercomputing Center.
"The ARCHER incident is part of a much broader issue involving many other sites in the UK and internationally."
The attacks on ARCHER and the other high performance computing labs around Europe come at a time when both academic and industrial research teams are working frantically to analyze and develop vaccines for COVID-19. That is resource intensive work that requires the kind of massive compute power possessed by supercomputers. Research on treatments and vaccines is ongoing in many countries and researchers are collaborating, but at the same time, attackers are targeting institutions and facilities involved in the effort. On Wednesday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that adversaries affiliated with the Chinese government had been running operations against some organizations involved in COVID-19 research.
“The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC- affiliated cyber actors and non-traditional collectors. These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” the advisory says.
“The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”
As of Friday, the ARCHER service was still offline, and the team at the University of Edinburgh that’s responsible for its operation said that the investigation was still going on, with the assistance of the NCSC.
“As you may be aware, the ARCHER incident is part of a much broader issue involving many other sites in the UK and internationally. We are continuing to work with the National Cyber Security Centre (NCSC) and Cray/HPE and further diagnostic scans are taking place on the system,” the latest status update from Thursday says.
“We are hoping to return ARCHER back to service early next week but this will depend on the results of the diagnostic scans taking place and further discussions with NCSC.”