The string of intrusions at supercomputing sites in Europe and the United States that began last week involves attackers using compromised machines in networks in China and Poland to connect to target supercomputers, where they then use stolen credentials and SSH keys to log in and move from one instance to another.
The attacks have hit several supercomputing instances in Germany, one in Scotland, and at least one in the U.S., and most of the affected sites have been taken offline as a result. The incidents share a number of characteristics, including the presence of a pair of files on compromised machines, the use of SSH credentials to move between machines, and the involvement of IP addresses in China. But there appear to be two separate clusters of attacks, one that is focused on installing cryptomining software and another that is strictly installing a backdoor.
The cryptomining attacks are designed to harness the enormous compute power of the compromised supercomputers and add them to a Monero mining pool. The attackers are assigning specific roles to compromised machines and using some as proxies and others as simple miners, according to an analysis of the compromises by the European Grid Infrastructure’s incident response team.
“A malicious group is currently targeting academic data centers for CPU mining purposes. The attacker is hopping from one victim to another using compromised SSH credentials. Connections to the SOCKS proxy hosts are typically done via TOR or compromised hosts. The attackers uses different techniques to hide the malicious activity, including a malicious Linux Kernel Module,” the analysis says.
“It is not fully understood how SSH credentials are stolen, although some (but not all) victims have discovered compromised SSH binaries. At least in one case, the malicious XMR activity is configured (CRON) to operate only during night times to avoid detection. There are victims in China, Europe and North America.”
One of the supercomputers affected by the recent attacks, ARCHER at the University of Edinburgh, has been offline for a week now as the team has been trying to diagnose the issue and repair the damage.
“As previously mentioned, all of the existing ARCHER passwords and SSH keys will be rewritten and will no longer be valid on ARCHER,” the team said in a status message on May 15.
Researchers have been tracing the attacks, looking at patterns, and reverse engineering the malware installed by the attackers. In the attacks that are not focused on cryptomining, the intrusions typically involve the installation of two files: a loader with root privileges and a log cleaner. Both of the files typically are installed in the /etc/fonts directory on compromised machines and samples of them have been uploaded to the VirusTotal service. The EGI incident response team identified a number of individual IP addresses at Shanghai Jiaotong University in China and one in Poland likely associated with compromised computers that the attackers have been using as hosts to login to the target supercomputers over SSH.