Other European Supercomputers Also Affected, Officials Say
ARCHER, a British high-performance computing system for academic and theoretical research, has been offline since May 11, when a “security incident” forced the University of Edinburgh to take down and cut off research access to the supercomputer. The same incident also affected supercomputers in other parts of Europe, university officials say.
University officials said in a Friday alert that they hoped to have ARCHER, which stands for Advanced Research Computing High End Resource, back online soon.
“All of the existing ARCHER passwords and SSH keys will be rewritten and will no longer be valid on ARCHER,” according to Friday’s alert. “When ARCHER returns to service, all users will be required to use two credentials to access the service: an SSH key with a passphrase and their ARCHER password.”
Once University of Edinburgh discovered that someone had apparently exploited ARCHER’s login nodes earlier this week, the university took the supercomputer offline and began resetting passwords and the SSH keys, which use encryption to establish a remote link between a device and a server.
The U.K. National Cyber Security Center, which is part of intelligence agency GCHQ, is continuing to investigate the incident. An NSCS spokesperson declined to provide any additional details about the nature of the incident.
ARCHER ranks 339th on the Top 500 Supercomputer list compiled by University of Tennessee, Knoxville; the National Energy Research Scientific Computing Center; and Lawrence Berkeley National Laboratory. It provides scientists and researchers with the ability to run large simulations and calculations.
The incident that affected supercomputers in Europe comes at a time when researchers are attempting to develop vaccines and treatments for COVID-19.
Typically, supercomputers and high-performance systems are not targeted by hackers, according to security experts.
“To see a [supercomputer] being attacked is very unusual, so I imagine it must be the computing infrastructure around it that has been attacked,” Alan Woodward, a professor of computer science at the University of Surrey, tells the Register. “Most users obviously don’t sit at a terminal directly attached to the supercomputers, so if the means for remote access is rendered inoperable, it means the supercomputers become just an expensive lump of metal and silicon.”
Woodward tells Information Security Media Group that an attacker likely gained access to a secure shell file. “I’m reading between the lines when they say that all passwords and SSH keys will be reset,” he says. “It suggests someone managed to gain a secure shell, maybe using compromised root credentials and potentially leave the door ajar for re-entry.”
A university spokesperson told the Register that no personal or academic data was compromised during the incident.
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency recently warned that hacking groups linked to the Chinese government are targeting research and healthcare facilities that are working on developing vaccines, testing procedures and treatments for COVID-19. (see: US Says China-Linked Hackers Targeting COVID-19 Researchers)
Earlier this month, CISA and the NCSC released a joint statement warning that advanced persistent threat groups affiliated or linked to nation-states had begun targeting a variety of organizations involved in the COVID-19 response in both the U.S. and Britain.
It’s not clear if ARCHER was directly involved in COVID-19 research. But Chris Morales, the head of security analytics at security firm Vectra, notes that this incident is likely to slow down any research that relied on ARCHER, costing academics and scientists precious time.
“As almost all user access is remote access for supercomputers and the interconnectivity of joint academic networks, the lost computational time will be significant and likely impact any research projects being analyzed,” Morales tells ISMG.
Executive Editor Mathew Schwartz contributed to this report.