Security news that informs and inspires

Stolen Credentials Behind Supercomputing Attacks

By

More than two weeks after attackers took several top academic supercomputing sites offline, one of the larger sites, ARCHER, is back online, but many of the others are still unavailable as investigators work to understand exactly what’s happened.

The attacks began hitting some of the larger supercomputers in the world on May 11, and within a few hours, the teams operating sites such as ARCHER at the University of Edinburgh, Taurus at the Technical University of Dresden, Hawk at the Stuttgart High Performance Computing Center, and the Leibniz Supercomputing Center had taken the supercomputers offline to figure out what was going on. The intrusions shared some common traits and appeared to have taken advantage of compromised credentials. But it is unclear exactly what the attackers’ goals were in targeting supercomputing sites. Although some of the incidents showed evidence of cryptomining, others did not, and there does not seem to be any indication that the attackers were trying to leverage the sites’ massive compute power for any specific task.

ARCHER, like many of the targeted sites, handles mainly academic workloads and has users spread across many industries and around the world. Many of those users also have accounts on other academic supercomputing sites, and that cross-pollination may have been one of the things that the attackers took advantage of in the string of intrusions. The team at the Leibniz Supercomputing Center at the Bavarian Academy of Sciences and Humanities found that external accounts that had been compromised were one of the causes of the intrusion there.

“The possibility of attack resulted from the combination of two circumstances: A number of compromised user accounts on external systems whose private SSH keys were configured with an empty passphrase; An error in the software that can be used to obtain administration rights after regular login,” a statement from Leibniz from May 21 says,

“It is not yet known what goals the perpetrators pursued with the attacks. We have so far found no evidence of concrete activities such as accessing or manipulating data records from regular system users.”

"It is essential to ensure that the private key on the computer from which the login is made must not be assigned an empty passphrase."

Many of the affected supercomputing sites require external users to login using SSH, and the combination of compromised accounts with no SSH passphrase gave the attackers the inroad they needed to gain access. If users who had access to several separate supercomputing sites reused their credentials on two or more of those sites, that would have been an easy leap for the attackers.

As a result of the attacks, the affected sites are resetting passwords and requiring users to have SSH configured with a passphrase. ARCHER, which came back online on May 21, is instituting those controls.

“ARCHER users will be required to use two credentials to access the service: an SSH key with a passphrase and their ARCHER password. It is imperative that you do not reuse a previously used password or SSH key with a passphrase,” the site’s status message from May 21 says.

The team at Leibniz also has invalidated all user passwords and SSH keypairs in the wake of the attack and has not yet set a date for the future availability of the supercomputer.

“All public secure shell keys stored on the HPC systems by regular users are invalidated and can therefore no longer be used for authentication. All users must therefore generate new key pairs, whereby it is essential to ensure that the private key on the computer from which the login is made must not be assigned an empty passphrase,” the Leibniz team said.

Several of the other affected sites are still offline, including Taurus and Hawk, with no specific dates set for restarting them.